[php-maint] Bug#422567: Bug#422567: security update in etch has same problem
Martin Langhoff
martin at catalyst.net.nz
Thu May 24 09:31:01 UTC 2007
sean finney wrote:
> right. that package is the same the normal etch version, plus a few unrelated
> security fixes. so both should be broken, but that one should be a little
> safer :)
>
> anyway, after speaking with the SRM's they've decided that this is an
> acceptable update to stable, so the version i posted on people.debian.org
> should make it into the next point release of stable. thanks to everyone who
> spent the time to test it and report back.
Sean,
thanks for the update. This means that the regression introduced with
the security upload is going to stay there for a while (until we get a
point release of stable)?
If so... it sounds pretty bad. Debian is used widely in the hosting
space, where PHP is bread-and-butter. And this is a dataloss bug: users
post their forms, and any passable CMS will run html-ish content past
strip_tags() which will eat valid user input. Oooops!
I'm not convinced that it's a good idea to sit on this regression... the
options seem to be
- new secure package, eats data for breakfast (default)
- pin the package to the old vulnerable, non-data-eating
- use unofficial packages
- avoid etch
cheers
m
More information about the pkg-php-maint
mailing list