On Fri, 12 Apr 2013 03:56:31 +1000 Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> wrote:
> > If data is passed via forms or via GET or POST and that data isn't > properly handled by php itself, then it may produce a buffer overrun > situation ... possibly before the data gets passed through to the > webpage code; if this can be fixed by an extension or hardening patch, > then great, if not, then we are in trouble. That would indeed be a PHP bug, and would be found quickly. Some people do little else with their lives but fling random data at public interfaces to see what sticks... > > I would like to know that everything that was providing protection via > Suhosin has been incorporated into PHP core, that would be the most > logical way to deal with the problem, rather than having 3rd party > patches and extensions. I would doubt that all of it has been. I think it was withdrawn because it became difficult to use. OK, I've just found this, which will probably answer some of your questions: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698#15 > > Actually it does appear to still be in SID: > > http://packages.debian.org/sid/php5-suhosin > > I hadn't noticed before, but the Debian packages pages show only depends and not conflicts. If you check the properties of php5-suhosin in the Sid apt system you will find it conflicts with php5-suhosin. No, I don't know why it hasn't been removed from the distribution, I just remember it being impossible to upgrade some time ago, and after leaving it for a few weeks for the dust to settle, it was still uninstallable. I should make clear that I'm not a commercial programmer of any kind, and I dabble in PHP now and then only on my home server. I'm past the 'a little knowledge' stage: I know enough about web application security to know that I don't know anything like enough to write secure code to present to the public, so I don't attempt it. My home web server is not accessible from outside other than via a certificate-secured VPN. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130411200538.189a7...@jretrading.com