[php-maint] Bug#336645: Bug 336645: PHP 4.4.1 Security Fixes

Nick Jenkins nickpj at gmail.com
Fri Feb 3 06:55:39 UTC 2006


I'm sorry, but I have a question:

Is Sarge / stable going to get an update for these problems?

In particular, CVE-2005-3390 (GLOBALS array overwrite) for PHP, which
I believe Sarge / stable is vulnerable to (CVE entry says it applies
to "PHP 4.x up to 4.4.0"), and it is (IMO) a real-world security
problem that should be fixed in the stable release.

I had been assuming that the fix for this problem would go into Debian
3.1r2, the next stable release. However, the recent updates seem to be for

Have I been following the wrong bug? (I couldn't see anything else
that looked suitable at http://qa.debian.org/bts-security.html#php4 )
Should I log a new bug specifically for Sarge, if I want an update for 3.1r2?
Or am I outright wrong, and these updates will be suitable for the
next Sarge release?

All the best,

More information about the pkg-php-maint mailing list