PHP vulnerabilities?
Matthew Nuzum
matt.followers at gmail.com
Sat Dec 18 04:35:24 UTC 2004
On Fri, 2004-12-17 at 19:18 -0800, Dan Hollis wrote:
> On Fri, 17 Dec 2004, Jim Popovitch wrote:
> > Given the considerable amount of changes in PHP since v4.1.2 (current FL
> > release), what is the possibility about just releasing a v4.3.10 rpm?
> > One could sorta argue that the number of security problems necessitates
> > more than just a point fix here and a point fix there (in no way
> > implying that any part of this is trivial)
>
> Are there backwards compat issues with 4.3.10 vs 4.1.2?
> A 4.3.10 release would mean having to release all the supporting php
> packages as well, eg php-ldap, php-mysql, php-imap, etc...
>
> Worth it?
>
> -Dan
There are backwards compat issues. For one, php 4.2 started shipping
with register globals off which is likely to break compatibility in a
major way. It should be easy though to create an RPM that ships with
register globals on.
However, there have been many other changes since then. In evaluating my
response to this problem I spent a bit of time yesterday going through
the change logs on the php.net website. The relevant changes were 27
pages long as printed on US Letter sized paper.
I did some brief testing with an application I've written for 4.1.x on a
4.3.10 install and found numerous errors. I stopped testing in order to
do more research, so I can't say for sure what the errors were yet, but
I'll be looking into it [for probably all of] next week.
--
Matthew Nuzum <matt at followers.net>
More information about the fedora-legacy-list
mailing list