Re: php vulnerability
On Di, 21.12.2004, 17:35, Sam Morris wrote:
> Florian Weimer wrote:
>> * Christian Storch:
>> > > Use a backport of PHP 4.3.10. Apparently, there is no other way at
>> > > this stage to be sure. (Upstream no longer supports PHP 4.1.x.)
>> >
>> > What about a kind of fork into php4-1 for woody?
>>
>> The diff from 4.3.9 to 4.3.10 is about 4,000 lines long. It contains
>> other changes, of course, but you still have to isolate the security
>> fixes. However, in the past, the PHP team neither provided clear
>> descriptions of security bugs, nor were the CVS log messages
>> enlightening. From Debian's point of view, the situation gets more
>> difficult as other distributions withdraw PHP 4.1.x support.
>>
>> What's worse, some of the changed parts are not covered by the PHP
>> test suite. This means that regression testing is not possible (until
>> the update has been installed on a large number of machines).
>>
>>>Or are there any considerations within security team about patching
>>>4.1 in woody?
>>
>> We are talking about a
>> person-week of work, for someone who is not familiar with the PHP code
>> base. Significantly less work is required if upstream is somewhat
>> supportive and provides a clear description of the bugs, including
>> proper test cases.
>
> I'm sure saying this won't win my any friends, but should software that
> the security team is unable to support have a place in a stable release
> of Debian?
>
> The discussion about volitile.debian.org showed that a newer branch of
> software can't very well be backported to Stable when upstream drops
> support for the version that Stable includes, so that's not an option.
> To mention nothing about maintaining the Stability of a stable release.
Don't know if anyone misunderstood my suggestion of "php4-1":
I mean a second branch of php in stable with version 4.3.X which
could (hopefully) further be supported by secutity team.
My opinion: increase security for the price of a shorter time of testing.
And a second branch would avoid any unpredictable script problems after
careless upgrading.
And what about http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285845
It's giving a little hope that it could be possible to backport the
security fixes?
Christian
Reply to: