Re: wheezy still missing php5-suhosin

To: debian-user@lists.debian.org
Subject: Re: wheezy still missing php5-suhosin
From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Date: Thu, 11 Apr 2013 15:57:03 +1000
Message-id: <[🔎] 516650AF.6050603@affinityvision.com.au>
In-reply-to: <[🔎] 20130411052127.GA12005@hysteria.proulx.com>
References: <[🔎] 5165409B.9000109@affinityvision.com.au> <[🔎] 20130410172628.GA29640@hysteria.proulx.com> <[🔎] 5165AE7D.6090504@affinityvision.com.au> <[🔎] 20130410194021.GB19032@hysteria.proulx.com> <[🔎] 51663E3A.5090705@affinityvision.com.au> <[🔎] 20130411052127.GA12005@hysteria.proulx.com>

On 11/04/2013 3:21 PM, Bob Proulx wrote:
> Andrew McGlashan wrote:
>> Yes, but insecure code is so easy to make and even the so called experts
>> are making them.  There is even an O'Reilly book that has wrong
>> information that is leading programmers astray.  The protections
>> provided by Suhosin in the past may _always_ be required and necessary.
> 
> This is all so nebulous and vague.  Is there an example that could be
> cited of a case that the suhosin patch will protect against in the
> php 5.4.4 interpreter?  Even one example would really help drive the
> point home.

I wish I could give you an example, but I can't.

You need to know exactly what Suhosin is protecting against, the code
implementation that causes vulnerability, and then you need someone to
test against that using newer PHP base.

>> It's not as bad as 95% of people running Java are using older versions
>> that are known to be exploitable, but there is plenty of exploitable PHP
>> code -- some may remain for years on non-patched servers, but new and
>> properly patched servers shouldn't be part of the problem.  PHP needs
>> to, upstream, make sure that programming flaws cannot be exploited and
>> that is what Suhosin aims to achieve.  Bad code will be there, we need
>> to be protected from it one way or another.
> 
> So...  Why isn't upstream PHP being pressured to address the problem?

Perhaps they have, the problem is that we just don't have the details...

If PHP upstream has committed to providing the same functionality as
Suhosin, and they've implemented it then we are sweet -- but right now,
we just don't know.

> And if they are really so bad why are so many people still using it?
> 
> Yes I have seen a lot of really horrid php code.  But I am not a heavy
> user of other people's code.  I am supporting one php application that
> I wrote and that is it at the moment.  And since I wrote it I am very
> familiar with the internals of it.  But it isn't representative of
> "other people's code".

I see messages from a Magento website, that is probably always going to
be somewhat out of date .... don't ask me which module or where the code
problems are, but I see logcheck messages quite often from Suhosin on
stable servers.

Cheers
A.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: wheezy still missing php5-suhosin
  - From: Joe <joe@jretrading.com>

References:
- wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Serveur with encrypted partition : 2 steps boot.
Next by Date: Re: Serveur with encrypted partition : 2 steps boot.
Previous by thread: Re: wheezy still missing php5-suhosin
Next by thread: Re: wheezy still missing php5-suhosin
Index(es):
- Date
- Thread