[php-maint] Bug#422567: security update in etch has same problem

Martin Langhoff martin at catalyst.net.nz
Thu May 24 20:10:19 UTC 2007

sean finney wrote:
> was the regression introduced by the security upload, or was it just generally 
> a problem with 5.2.0?  as far as i knew it was the latter... ?

No - the problem was introduced by Etch+3. There's a security patch that
supposedly fixes handling of nulls in strip_tags() -- which introduces
this regression. I think it was the initial patch that the PHP folk put
together, and then later fixed up.

The debian package has the initial patch with the regression, but not
the subsequent fixup.

> the unofficial packages have all of the recent security vulnerabilities in 
> them as well, so i don't think it's so bad to have to use them.  and as far 
> as the next point release goes, it should be Real Soon Now.

I don't know how soon is RSN -- I hope it's Really RSN so we don't have
to worry ;-) -- but Etch has a working unsafe PHP, while Etch+security
has a broken PHP.

Re unofficial packages, all I can say is THANKS, but... I am sure 90% of
the sysadmins looking after Etch boxes with PHP installed in production
don't know there's even a problem. Users will lose data, complain, and
after much pain and dataloss eventually clued-up sysadmins will read
this bug and find your packages. Having it fixed in security.d.o makes a
lot more sense...


Martin @ Catalyst .Net .NZ  Ltd, PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/           PHYS: Level 2, 150-154 Willis St
OFFICE: +64(4)916-7224  UK: 0845 868 5733 ext 7224  MOB: +64(21)364-017
      Make things as simple as possible, but no simpler - Einstein

More information about the pkg-php-maint mailing list