[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy still missing php5-suhosin

Andrew McGlashan wrote:
> To cut a long story short, if PHP upstream has incorporated the features
> of Suhosin, then we should be fine; is it the final conclusion from that
> long thread and all the references from it, that we are in good shape
> with 5.4.4 -- better than pre 5.4 with Suhosin?

To be honest I have not read through all of that information myself
yet in enough detail to know one way or the other.  It really needs
the skills of an upstream interpreter developer to know.  I would love
to hear from someone who is familiar with the code well enough to make
an intelligent summary.

What I have read (caution unverified) is that the PHP interpreter
isn't intrinsically insecure.  It only becomes that way when used with
insecure php code.  Which makes sense.  Any upstream interpreter
vulnerability would have a CVE number associated with it that would be
tracked.  I see people calling for those reports but none are being
provided for any current vulnerabilities.


Attachment: signature.asc
Description: Digital signature

Reply to: