[Phpwm] Fw: [USN-261-1] PHP vulnerabilities

Rob Allen rob at akrabat.com
Fri Mar 10 18:59:10 GMT 2006


sparkes wrote:

> It was discovered in Jan but Ubuntu and Suse both released new packages
> yesterday so i presumed these where a new batch. I know my debian etch
> server has updated these packages almost weekly this year.  
> 

I wonder why? There hasn't been a new PHP release since Jan 13th. I'm 
subscribed to the PHP security list at phpsec at phparch.com and it's 
normally pretty quick at reporting issues with PHP and popular PHP 
applications. Maybe Debian are playing with integration?


> Perhaps it's time php stopped adding new features and did a full
> security review or at least pulled all the crap out of the main package
> and dynamically include packages with a method to allow admins to
> disallow their use.

Most of the extensions can be dynamically linked via the php.ini file. I 
wouldn't put session handling into the category of "optional" though.

PHP6 is looking interesting as they've already removed register_globals 
and magic_quotes :)


Regards,

Rob...
(www.akrabat.com)



More information about the Phpwm mailing list