gfmurphy@hardcoretek.com wrote:
Quote from debian’s security website: Debian takes security very seriously. Most security problems brought to our attention are corrected within 48 hours. Debian has yet to release security patches for two major vulnerabilities in php. In fact they haven’t released an advisory of any kind in over two weeks. I know that this is a community effort, but I don’t really understand how that’s an excuse seeing that Gentoo released and updated ebuild the next day. I love debian. I run debian stable on all of my production machines, and the belief that security patches would be handed down to the community promptly was a major factor in choosing it as our distribution of choice. Nevertheless, if users continued to be frustrated by slow response times to security issues and poor developer attitudes, debian has no real advantage over any other distro. Frustrated and vulnerable…
I know exactly how you feel. I intended to ask the same question, in fact. The PHP bug I found in Debian's bugzilla, and a fix is promised in what should be one day or so. As a temporary work around, disable memory_limit (set it to -1) in php.ini, which leaves you vulnerable to a POST DoS (by sending a huge amount of data via POST) but at least removes the possibility of remote code execution. As for the striptags issue, that depends on your scripts.
But along with those concerns, I am concerned about two kernel vulnerabilities that allow local users to cause a DoS. CAN-2004-0427 is noted in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254354, but there appears to be little progress. http://bugs.gentoo.org/show_bug.cgi?id=53804 also appears to be a bug that would effect Debian's kernel, but I see no mention of it in Debian's bugzilla. There may be more.
Kernel vulnerabilities I can fix by going outside the Debian source tree, but I can do that with PHP, too. I'm not complaining; I have no right to complain over a free project that I'm not even contributing to. But I was really hoping someone could tell me if these bugs are going to be patched soon, so I can decide what I plan to do about them if they aren't.
Like you, I chose Debian for a production machine over Gentoo, on the assumption that I could count on Debian for fast patches. But as of late, there appear to be some delays or organizational problems. Should I jump ship? Must I patch myself?
I truly hope I haven't offended anybody. I know how hard this can be. I'm merely asking for information, not trying to insult anybody.