[php-maint] squeeze/php 5

sean finney seanius at debian.org
Mon May 9 09:52:37 UTC 2011

Hi Rene,

On Mon, May 09, 2011 at 11:26:57AM +0200, Rene Bleisch wrote:
> My question: are you planning or already working on a new version of the  
> debian-squeeze-php package (with php 5.4.), which finally seems to be  
> secure (at least in the moment)? If not, I would highly encourage you to  
> do so, as it seems really to be an important security issue.

For previous stable releases, we do not provide the latest upstream versions
but instead backport the security fixes.  Many automated scanners use only
the version string of the software, instead of running an active check, and
thus are likely to get false-postive warnings.

That said, PHP does have a rather infamous track-record with regards
to security, and it's always possible that some vulnerability either
slipped under our radar or was consciously down-prioritized due to our
standing policy on PHP security updates in stable releases, or has not
yet gotten some time for review.

So I suggest that you take the list of vulnerabilities from your audit/scan,
and cross-reference them with the security tracker[1], and make your decision
based on that.  Also keep in mind that you are always welcome to volunteer,
so if there are particular security issues that you want to see resolved
in the stable releases, feel free to start up a discussion and/or dig up
the patches :)


[1] http://security-tracker.debian.org/tracker/source-package/php5

More information about the pkg-php-maint mailing list