Re: AW: Vulnerable PHP version according to nessus

[Mike Mestnik <cheako@mikemestnik.net>]

On 12/28/11 05:51, Jordon Bedwell wrote:
> On Wed, Dec 28, 2011 at 2:54 AM, Adam D. Barratt
> <adam@adam-barratt.org.uk> wrote:
>> On 28.12.2011 07:56, Patrick Geschke wrote:
>>> Hey,
>>>
>>> @Maintainers: Whats the overall Status of the package?
>>>
>>> According to php.net 5.3.8 is stable.
>>
>> 5.3.8 is in both testing and unstable - see
>> http://packages.qa.debian.org/p/php5.html
>>
>> Debian stable doesn't generally get new upstream versions of packages.
>>
>> Regards,
>>
>> Adam
>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive:
>> http://lists.debian.org/f53555ce02d37a0ad7b0ef133d97d076@mail.adsl.funky-badger.org
>>
> New upstream version is used pretty loosely here.  I would hardly
> consider a bug fix release a new version.  You guys treat versions as
> if they're a matter of national security, because 5.3.7 vs 5.3.8 is
> obviously gonna have some major major API changes and some way new
> features.
>
>
The main issue is that the patch from, say, 5.3.7 to 5.3.8 is a
patchset.  A DD can't simply put this patch into a package and say "Here
are all the security updates."  One must split the patchset up and
document what each patch does.  Since I'm guessing the PHP developers
don't handle there releases like that it's up to the DD to perform this
task.

The DD may likely opt to completely ignore the 5.3.7 to 5.3.8 patch and
just take the appropriate repository commits and re-patch each patch
properly documenting it's effect.