Re: PHP vulnerabilities?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matt Nuzum wrote:
On Sat, 18 Dec 2004 14:16:32 -0700, Michal Jaegermann

With RH7.3 and 4.1.2 this is entirely different kettle of fish.
I looked and I do not see any obvious way to fit these patches back.
I cannot even tell if the problems are there and if yes then which
particular code fragments are responsible.

At least on one RH 7.3 machine I am running php 4.3.8 from the
end of July of this year.  How successful such substituion would be
obviously depends on what applications you have on the top of it.
But if they are breaking then you should have started a forward
migration a long time ago.  There were good reasons to break
assorted grungy PHP code.

It is defintely possible to compile php 4.3.10 on RH7.3.  It wants
newer curl but sources from RH9 recompile there without heroic
efforts and that version is good enough.

 Michal


Forgive me if this message sounds a little tence, the bent of the conversation is a little worrying to me. It takes 100's and 100's of hours to certify an application such as mine on a new platform - those 100's and 100's of hours equate into a lot of money.

Presumably the PHP 4.1 that is currently in fedora legacy has all of
the previously known security issues addressed, although that might be
an inacurate assummption. So of those 27 pages of changes since 4.1.2
only the newly discovered problems are of great concern. Even if there
are other security concerns lingering, this particular problem is
remotely exploitable which makes it more pressing than most others.

I have been testing with 4.3.8 and found numerous changes such as
functions taking different params, functions being renamed, things
that were marked as experimental in 4.1 stabilizing... you can imagine
how these can have a dramatic effect on compatibility.

Honestly, if I wanted newer versions of the software, I would upgrade.
I need to use FL because I can't afford the instability of FC (Let me
just point out that RedHat's EOL policy came out long after I'd made
the decission to standardize on RH).

I pray that some way can be found to ascertain if the problems apply
to RH7.3 and if so, that a patch can be found and applied without
changing the features of the PHP that is present.


Hi

Yes the point is that we backport uppdates this is done so that
existing applications will not break. And in the case of PHP so do we need to do a backport so that we do not break thousands of websites etc.
I think this should be quite clear.


But as I understood the issue so are we waiting to so if and when RH or others relase uppdates for old versions of PHP if they do then we need to take action immediately.


Johnny






-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux