Hi, I'm sorry, but I have a question:
Is Sarge / stable going to get an update for these problems? In particular, CVE-2005-3390 (GLOBALS array overwrite) for PHP, which I believe Sarge / stable is vulnerable to (CVE entry says it applies to "PHP 4.x up to 4.4.0"), and it is (IMO) a real-world security problem that should be fixed in the stable release. I had been assuming that the fix for this problem would go into Debian 3.1r2, the next stable release. However, the recent updates seem to be for Testing. Have I been following the wrong bug? (I couldn't see anything else that looked suitable at http://qa.debian.org/bts-security.html#php4 ) Should I log a new bug specifically for Sarge, if I want an update for 3.1r2? Or am I outright wrong, and these updates will be suitable for the next Sarge release? All the best, Nick.
