PHP vulnerabilities?

[Johnny Strom]

Matt Nuzum wrote:
> On Sat, 18 Dec 2004 14:16:32 -0700, Michal Jaegermann 
> 
>>With RH7.3 and 4.1.2 this is entirely different kettle of fish.
>>I looked and I do not see any obvious way to fit these patches back.
>>I cannot even tell if the problems are there and if yes then which
>>particular code fragments are responsible.
>>
>>At least on one RH 7.3 machine I am running php 4.3.8 from the
>>end of July of this year.  How successful such substituion would be
>>obviously depends on what applications you have on the top of it.
>>But if they are breaking then you should have started a forward
>>migration a long time ago.  There were good reasons to break
>>assorted grungy PHP code.
>>
>>It is defintely possible to compile php 4.3.10 on RH7.3.  It wants
>>newer curl but sources from RH9 recompile there without heroic
>>efforts and that version is good enough.
>>
>>  Michal
>>
> 
> Forgive me if this message sounds a little tence, the bent of the
> conversation is a little worrying to me. It takes 100's and 100's of
> hours to certify an application such as mine on a new platform - those
> 100's and 100's of hours equate into a lot of money.
> 
> Presumably the PHP 4.1 that is currently in fedora legacy has all of
> the previously known security issues addressed, although that might be
> an inacurate assummption. So of those 27 pages of changes since 4.1.2
> only the newly discovered problems are of great concern. Even if there
> are other security concerns lingering, this particular problem is
> remotely exploitable which makes it more pressing than most others.
> 
> I have been testing with 4.3.8 and found numerous changes such as
> functions taking different params, functions being renamed, things
> that were marked as experimental in 4.1 stabilizing... you can imagine
> how these can have a dramatic effect on compatibility.
> 
> Honestly, if I wanted newer versions of the software, I would upgrade.
> I need to use FL because I can't afford the instability of FC (Let me
> just point out that RedHat's EOL policy came out long after I'd made
> the decission to standardize on RH).
> 
> I pray that some way can be found to ascertain if the problems apply
> to RH7.3 and if so, that a patch can be found and applied without
> changing the features of the PHP that is present.


Hi

Yes the point is that we backport uppdates this is done so that
existing applications will not break. And in the case of PHP so do we 
need to do a backport so that we do not break thousands of websites etc.
I think this should be quite clear.

But as I understood the issue so are we waiting to so if and when RH or 
others relase uppdates for old versions of PHP if they do then we need 
to take action immediately.


  Johnny