On Wed, 22 Dec 2004 23:42:13 +0100 Philipp Kern <[EMAIL PROTECTED]> wrote:
> On 22. Dec 2004, at 23:12 Uhr, Jason Lim wrote: > > Little bugfixes and even local exploits... okay... i can understand > > there > > is less urgency. But for REMOTELY exploitable vulnerabilities, i > > think there is a much greater urgency and importance. > > For serious PHP deployment you would consider an actual version, not > the one you could find in stable. > > > I wish we could get an update if they are even _WORKING_ on a PHP > > update, > > or if they have just thrown in the towel and said "we're not going > > to patch this". If thats the case, we'll upgrade, but not otherwise. <snip> > By the way I bet there are a lot more flaws in > this plain > old version which got fixed on the long way to 4.3. > > In my opinion it is not worth to backport PHP 4.3 to stable as sarge > *should* > be released as soon as security team support is available. You make it sound like the version in Sarge has these security vulnerabilities fixed. Except, it's still 4.3.9 - instead of 4.3.10 which is supposed to fix this problem. And no, I'm not complaining, though I do hope we're able to get the security update soon. Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
