PHP vulnerabilities?

[Jim Popovitch]

On Mon, 2004-12-20 at 09:43 -0500, Matt Nuzum wrote:
> Forgive me if this message sounds a little tence, the bent of the
> conversation is a little worrying to me. It takes 100's and 100's of
> hours to certify an application such as mine on a new platform - those
> 100's and 100's of hours equate into a lot of money.

Very valid.  In the interest of fairness, ask yourself just how much
money and time it would take to rebuild one or more hacked php servers.

> Presumably the PHP 4.1 that is currently in fedora legacy has all of
> the previously known security issues addressed, although that might be
> an inacurate assummption. 

That is a big presumption.  PHP developers themselves don't even
maintain/verify these old versions.  Who is tracking their (daily?)
"changes" to see if something in FL needs to be *fixed*?

> So of those 27 pages of changes since 4.1.2
> only the newly discovered problems are of great concern. 

Are they?  I would guess that in those 27 pages of fixes there are
somethings that the FL updates AND you don't know about.

> Even if there
> are other security concerns lingering, this particular problem is
> remotely exploitable which makes it more pressing than most others.

You seem too sure.  Your statements make sense for something like
openssh and openssl, things that have previously gone over with a
fine-toothed comb by masses of people.  PHP is a different story.

-Jim P.