On 05/08/2012 06:30 PM, Ondřej Surý wrote: > On Mon, May 7, 2012 at 10:02 AM, Thijs Kinkhorst <[email protected]> wrote: >> On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote: >>> On Sat, May 5, 2012 20:49, Adam D. Barratt wrote: >>>> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote: >>>>>> For some reason I had it in my head that 5.4.2 was the upstream >>>>> version >>>>>> with the fixed fix rather than the not-quite fixed fix. >>>>> >>>>> I think this is the case (e.g. 5.4.2 is the fixed version). >>>> >>>> I assume Thijs was referring to CVE-2012-2311, which covers the fix in >>>> 5.4.2 being incomplete. >>> >>> PHP 5.4.2 does not fix the issue. >> >> PHP upstream has now announced new releases for tomorrow, which also fix >> another security issue: >> http://www.php.net/archive/2012.php#id2012-05-06-1 >> >> It would be great if we could get that into unstable swiftly and then >> start the migration process. > > I am building security update for squeeze right now and will release > 5.4.3 for unstable > when it's released (there's some apache handler vulnerability from 5.4.1).
Hi, What's the status of the reverse dependencies of PHP 5.4? I've done quite a few NMU to fix them, but I have to admit that I'm a bit lost at what's remaining to fix. Ondrej, can you tell, so that I can have a go on fixing reverse dependencies? How have you been running the archive-wide tests? By installing all reverse dependencies and running php -l on all of them? Would it make sense to have this run once more with the updated packages, and publish the list of broken packages here again? Cheers, Thomas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
