Hi, I have backported unstable's php 4.2.3 packages to woody and I've been using them successfully for a few months. I am rather concerned about security so I sent the following message to the php-general mailing list. So far I have no response (granted less than a full day since I posted). I'm wondering if someone here might be able to help me with my questions ...
I'm trying to figure out if the version of php that I am running is secure against all known exploits and I am finding that task very difficult. I haven't been able to find a security page on either http://www.php.net/ or http://www.zend.com/ My questions are: - is php 4.2.3 vulnerable to any known security issues? - what is the meaning of php's versioning scheme? I see from the changelogs that features are added throughout the 4.x branches. I am used to schemes where 4.2.x would be feature frozen with just bu and security fixes being applied. - is the 4.3.x branch the only one that is being maintained? I do not relish moving my servers from 4.2.3 to 4.3.? since I have encountered enough problems already with the move from 4.0.6 to 4.2.3. Most of the problems were from sloppy coding that should never have worked but hey it did work with 4.0.6 and does not work with 4.2.3. If the code were all mine I wouldn't be so concerned but I don't want to be telling clients every 6-12 months, that we're upgrading their php version and that things might break for them. Is there an official policy as to how long a branch is supported? PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ... Thanks, -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux