Re: wheezy still missing php5-suhosin
On Fri, 12 Apr 2013 03:56:31 +1000
Andrew McGlashan <firstname.lastname@example.org> wrote:
> If data is passed via forms or via GET or POST and that data isn't
> properly handled by php itself, then it may produce a buffer overrun
> situation ... possibly before the data gets passed through to the
> webpage code; if this can be fixed by an extension or hardening patch,
> then great, if not, then we are in trouble.
That would indeed be a PHP bug, and would be found quickly. Some people
do little else with their lives but fling random data at public
interfaces to see what sticks...
> I would like to know that everything that was providing protection via
> Suhosin has been incorporated into PHP core, that would be the most
> logical way to deal with the problem, rather than having 3rd party
> patches and extensions.
I would doubt that all of it has been. I think it was withdrawn because
it became difficult to use.
OK, I've just found this, which will probably answer some of your
> Actually it does appear to still be in SID:
I hadn't noticed before, but the Debian packages pages show only depends
and not conflicts. If you check the properties of php5-suhosin in the
Sid apt system you will find it conflicts with php5-suhosin. No, I don't
know why it hasn't been removed from the distribution, I just remember
it being impossible to upgrade some time ago, and after leaving it for
a few weeks for the dust to settle, it was still uninstallable.
I should make clear that I'm not a commercial programmer of any kind,
and I dabble in PHP now and then only on my home server. I'm past the 'a
little knowledge' stage: I know enough about web application security
to know that I don't know anything like enough to write secure code to
present to the public, so I don't attempt it. My home web server is not
accessible from outside other than via a certificate-secured VPN.