PHP vulnerabilities?

Matt Nuzum matt.followers at gmail.com
Mon Dec 20 14:43:18 UTC 2004 

On Sat, 18 Dec 2004 14:16:32 -0700, Michal Jaegermann 
> With RH7.3 and 4.1.2 this is entirely different kettle of fish.
> I looked and I do not see any obvious way to fit these patches back.
> I cannot even tell if the problems are there and if yes then which
> particular code fragments are responsible.
> 
> At least on one RH 7.3 machine I am running php 4.3.8 from the
> end of July of this year.  How successful such substituion would be
> obviously depends on what applications you have on the top of it.
> But if they are breaking then you should have started a forward
> migration a long time ago.  There were good reasons to break
> assorted grungy PHP code.
> 
> It is defintely possible to compile php 4.3.10 on RH7.3.  It wants
> newer curl but sources from RH9 recompile there without heroic
> efforts and that version is good enough.
> 
>   Michal
> 
Forgive me if this message sounds a little tence, the bent of the
conversation is a little worrying to me. It takes 100's and 100's of
hours to certify an application such as mine on a new platform - those
100's and 100's of hours equate into a lot of money.

Presumably the PHP 4.1 that is currently in fedora legacy has all of
the previously known security issues addressed, although that might be
an inacurate assummption. So of those 27 pages of changes since 4.1.2
only the newly discovered problems are of great concern. Even if there
are other security concerns lingering, this particular problem is
remotely exploitable which makes it more pressing than most others.

I have been testing with 4.3.8 and found numerous changes such as
functions taking different params, functions being renamed, things
that were marked as experimental in 4.1 stabilizing... you can imagine
how these can have a dramatic effect on compatibility.

Honestly, if I wanted newer versions of the software, I would upgrade.
I need to use FL because I can't afford the instability of FC (Let me
just point out that RedHat's EOL policy came out long after I'd made
the decission to standardize on RH).

I pray that some way can be found to ascertain if the problems apply
to RH7.3 and if so, that a patch can be found and applied without
changing the features of the PHP that is present.
-- 
Matthew Nuzum <matt at followers.net>
www.followers.net - Makers of "Elite Content Management System"
View samples of Elite CMS in action by visiting
http://www.followers.net/portfolio/

More information about the fedora-legacy-list mailing list