Re: php vulnerability

To: debian-security@lists.debian.org
Subject: Re: php vulnerability
From: "Christian Storch" <storch@infra.net>
Date: Tue, 21 Dec 2004 19:34:26 +0100 (CET)
Message-id: <[🔎] 2611.212.89.96.170.1103654066.squirrel@212.89.96.170>
In-reply-to: <[🔎] cq9jbc$fhj$1@sea.gmane.org>
References: <[🔎] 20041221064828.83457.qmail@web51706.mail.yahoo.com> <[🔎] 873by02eug.fsf@deneb.enyo.de> <[🔎] 1393.212.89.97.147.1103623957.squirrel@212.89.97.147> <[🔎] 87hdmfg5jj.fsf@deneb.enyo.de> <[🔎] cq9jbc$fhj$1@sea.gmane.org>

On Di, 21.12.2004, 17:35, Sam Morris wrote:
> Florian Weimer wrote:
>> * Christian Storch:
>> > > Use a backport of PHP 4.3.10.  Apparently, there is no other way at
>> > > this stage to be sure.  (Upstream no longer supports PHP 4.1.x.)
>> >
>> > What about a kind of fork into php4-1 for woody?
>>
>> The diff from 4.3.9 to 4.3.10 is about 4,000 lines long.  It contains
>> other changes, of course, but you still have to isolate the security
>> fixes.  However, in the past, the PHP team neither provided clear
>> descriptions of security bugs, nor were the CVS log messages
>> enlightening.  From Debian's point of view, the situation gets more
>> difficult as other distributions withdraw PHP 4.1.x support.
>>
>> What's worse, some of the changed parts are not covered by the PHP
>> test suite.  This means that regression testing is not possible (until
>> the update has been installed on a large number of machines).
>>
>>>Or are there any considerations within security team about patching
>>>4.1 in woody?
>>
>> We are talking about a
>> person-week of work, for someone who is not familiar with the PHP code
>> base.  Significantly less work is required if upstream is somewhat
>> supportive and provides a clear description of the bugs, including
>> proper test cases.
>
> I'm sure saying this won't win my any friends, but should software that
> the security team is unable to support have a place in a stable release
> of Debian?
>
> The discussion about volitile.debian.org showed that a newer branch of
> software can't very well be backported to Stable when upstream drops
> support for the version that Stable includes, so that's not an option.
> To mention nothing about maintaining the Stability of a stable release.

Don't know if anyone misunderstood my suggestion of "php4-1":

I mean a second branch of php in stable with version 4.3.X which
could (hopefully) further be supported by secutity team.

My opinion: increase security for the price of a shorter time of testing.
And a second branch would avoid any unpredictable script problems after
careless upgrading.

And what about http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285845
It's giving a little hope that it could be possible to backport the
security fixes?

Christian

Reply to:

References:
- Re: php vulnerability
  - From: saravanan ganapathy <sarav_gsa@yahoo.com>
- Re: php vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: php vulnerability
  - From: "Christian Storch" <storch@infra.net>
- Re: php vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: php vulnerability
  - From: Sam Morris <sam@robots.org.uk>

Prev by Date: Re: php vulnerabilities
Next by Date: PHP Worm
Previous by thread: Re: php vulnerability
Next by thread: Re: php vulnerability
Index(es):
- Date
- Thread