php5-5.2.11_1 Vulnerabilities
Xin LI
delphij at gmail.com
Sat Dec 26 12:32:49 UTC 2009
Hi, Vincent,
On Sat, Dec 26, 2009 at 4:06 AM, Vincent Hoffman <vince at unsane.co.uk> wrote:
> Xin LI wrote:
>> I think ale@ has posted a patch to update it to PHP 5.3.1 which is not
>> vulnerable. Is it an option for you?
>>
>> http://www.alexdupre.com/php53.diff
>>
> We've found 5.3 is different enough from 5.2 at work that a number of
> customers have needed downgrading again after upgrading. (We're a linux
> shop but same theory applies) a particular gotcha was the removal of the
> mhash module which is used by plenty of shopping cart code, (its now
> emulated by the built in hash stuff, but php configure needs the
> --with-mhash flag. And because its emulated it cant be built as a
> module.) Test throughly if your thinking of moving to php5.3.
> However as yet various stuff thats in the php5.2.11 port isnt
> available or has changed a bit for 5.2.12. for example the Suhosin
> hardening patch isnt available for 5.2.12 yet (People taking time off
> for the holidays I'd guess ;)
I actually have a semi working 5.2.12 patchset which worked for
extensions I am using but it need some further work.
IIRC, For suhosin, the 5.2.11 patch should just work for 5.2.12 (the
mailhead patch have been updated for 5.2.12 anyways). So, neither is
blocking problem for us. However, since php5 have so many slave ports
it's not so easy to have a through test (at least 1 slave port needs
to be changed and the patch there should be updated), which need some
time so I don't want to commit my patches without more through
testing, also I'm a bit concerned that it's likely to increase ale@'s
workload if I commit a 5.2.12.
Cheers,
--
Xin LI <delphij at delphij.net> http://www.delphij.net
More information about the freebsd-stable
mailing list