[php-maint] Bug#422567: Bug#422567: security update in etch has same problem

Martin Langhoff martin at catalyst.net.nz
Thu May 24 09:31:01 UTC 2007

sean finney wrote:
> right.  that package is the same the normal etch version, plus a few unrelated 
> security fixes.  so both should be broken, but that one should be a little 
> safer :)
> anyway, after speaking with the SRM's they've decided that this is an 
> acceptable update to stable, so the version i posted on people.debian.org 
> should make it into the next point release of stable.  thanks to everyone who 
> spent the time to test it and report back.


thanks for the update. This means that the regression introduced with
the security upload is going to stay there for a while (until we get a
point release of stable)?

If so... it sounds pretty bad. Debian is used widely in the hosting
space, where PHP is bread-and-butter. And this is a dataloss bug: users
post their forms, and any passable CMS will run html-ish content past
strip_tags() which will eat valid user input. Oooops!

I'm not convinced that it's a good idea to sit on this regression... the
options seem to be

 - new secure package, eats data for breakfast (default)
 - pin the package to the old vulnerable, non-data-eating
 - use unofficial packages
 - avoid etch



More information about the pkg-php-maint mailing list