[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerability

On Di, 21.12.2004, 17:35, Sam Morris wrote:
> Florian Weimer wrote:
>> * Christian Storch:
>> > > Use a backport of PHP 4.3.10.  Apparently, there is no other way at
>> > > this stage to be sure.  (Upstream no longer supports PHP 4.1.x.)
>> >
>> > What about a kind of fork into php4-1 for woody?
>> The diff from 4.3.9 to 4.3.10 is about 4,000 lines long.  It contains
>> other changes, of course, but you still have to isolate the security
>> fixes.  However, in the past, the PHP team neither provided clear
>> descriptions of security bugs, nor were the CVS log messages
>> enlightening.  From Debian's point of view, the situation gets more
>> difficult as other distributions withdraw PHP 4.1.x support.
>> What's worse, some of the changed parts are not covered by the PHP
>> test suite.  This means that regression testing is not possible (until
>> the update has been installed on a large number of machines).
>>>Or are there any considerations within security team about patching
>>>4.1 in woody?
>> We are talking about a
>> person-week of work, for someone who is not familiar with the PHP code
>> base.  Significantly less work is required if upstream is somewhat
>> supportive and provides a clear description of the bugs, including
>> proper test cases.
> I'm sure saying this won't win my any friends, but should software that
> the security team is unable to support have a place in a stable release
> of Debian?
> The discussion about volitile.debian.org showed that a newer branch of
> software can't very well be backported to Stable when upstream drops
> support for the version that Stable includes, so that's not an option.
> To mention nothing about maintaining the Stability of a stable release.

Don't know if anyone misunderstood my suggestion of "php4-1":

I mean a second branch of php in stable with version 4.3.X which
could (hopefully) further be supported by secutity team.

My opinion: increase security for the price of a shorter time of testing.
And a second branch would avoid any unpredictable script problems after
careless upgrading.

And what about http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285845
It's giving a little hope that it could be possible to backport the
security fixes?


Reply to: