[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy still missing php5-suhosin

On 11/04/2013 5:40 AM, Bob Proulx wrote:
> What I have read (caution unverified) is that the PHP interpreter
> isn't intrinsically insecure.  It only becomes that way when used with
> insecure php code.  Which makes sense.  Any upstream interpreter
> vulnerability would have a CVE number associated with it that would be
> tracked.  I see people calling for those reports but none are being
> provided for any current vulnerabilities.

Yes, but insecure code is so easy to make and even the so called experts
are making them.  There is even an O'Reilly book that has wrong
information that is leading programmers astray.  The protections
provided by Suhosin in the past may _always_ be required and necessary.

It's not as bad as 95% of people running Java are using older versions
that are known to be exploitable, but there is plenty of exploitable PHP
code -- some may remain for years on non-patched servers, but new and
properly patched servers shouldn't be part of the problem.  PHP needs
to, upstream, make sure that programming flaws cannot be exploited and
that is what Suhosin aims to achieve.  Bad code will be there, we need
to be protected from it one way or another.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: