On 7/10/10 3:17 PM, Reindl Harald wrote: > > Am 10.07.2010 23:52, schrieb Rasmus Lerdorf: >> On 7/10/10 2:32 PM, Reindl Harald wrote: >>> Why there are no point releases for security-bugs? >>> >>> The changelog form 5.3.2 to 5.3.3 RCx shows many >>> security releases which are well known in the meantime >>> >>> It's VERY bad to schedule thmen always only with >>> the normal bugfixes and also on production servers >>> it can not be recommended to backport them by the admin >>> >>> So why there is no 5.3.2.1 which only fixes them? >> >> None of the security issues are serious remotely exploitable ones. They >> are all local. > > What is enough on shared hosting because there are many ways > to trigger local exploits. If there is ANY eval-injection > in a for the admin unkown script you heave a full remote-exploit
Shared hosts need to take other measures such as chroot'ed environments or VMs. There are way too many local exploits, many of which have nothing to do with PHP in underlying 3rd-party libraries. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
