[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy still missing php5-suhosin

Hi Bob,

On 11/04/2013 3:26 AM, Bob Proulx wrote:
> Andrew McGlashan wrote:
>> Now, php5-suhosin provides some real protection against programming
>> problems that could very easily exist and it is not uncommon to see
>> messages from Debian stable installs reporting bugs / vulnerabilities
>> detected by suhosin....
> The question isn't whether the suhosin patch did good with older PHP
> versions.  The question is whether newer PHP versions benefit as much
> from it.  Because in recent years AIUI many of the features of suhosin
> were merged into the mainline PHP.  And supporting suhosin isn't easy.
> At least some other distros have also stopped supporting it too.

I understand that Ubuntu have 12.10 locked in on 5.3.9 because of lack
of Suhosin patch / support.  Don't know what later Ubuntu will be doing.

>> Will php5-suhosin be re-instated any time soon?  And if not, what
>> measures can we take to protect Wheezy servers now?
> Here is a good place to read up on the current state of PHP plus
> suhosin in Debian.
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698
> It is a long thread with a lot of references to research.  Grab a
> comfortable chair and a stimulating beverage.

Great, thank you very much for your post and the reference.

To cut a long story short, if PHP upstream has incorporated the features
of Suhosin, then we should be fine; is it the final conclusion from that
long thread and all the references from it, that we are in good shape
with 5.4.4 -- better than pre 5.4 with Suhosin?


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: