Bug#318063: php4: PHP 4.4.0 may fix security bugs
Package: php4 Severity: grave Tags: security Justification: user security hole Version 4.4.0 address some memory corruption bugs, apparently resulting from fairly wide-spread errors in the implementation of reference counting. These bugs probably can be exploited by malicious PHP scripts only, and not by specially crafted input to correctly written PHP scripts. These bugs will likely be addressed for stable by a change in the security bug policy for stable. Discussions with the security team are ongoing; a detailed statement should be published soon. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#318063: php4: PHP 4.4.0 may fix security bugs
Florian Weimer wrote: Version 4.4.0 address some memory corruption bugs, apparently resulting from fairly wide-spread errors in the implementation of reference counting. These bugs probably can be exploited by malicious PHP scripts only, and not by specially crafted input to correctly written PHP scripts. These bugs will likely be addressed for stable by a change in the security bug policy for stable. Discussions with the security team are ongoing; a detailed statement should be published soon. We need a new security policy for something that *may* fix security bugs? Neat. ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#318063: php4: PHP 4.4.0 may fix security bugs
* Adam Conrad: These bugs will likely be addressed for stable by a change in the security bug policy for stable. Discussions with the security team are ongoing; a detailed statement should be published soon. We need a new security policy for something that *may* fix security bugs? Neat. No, for the countless PHP bugs which only materialize when you run untrusted PHP scripts which do malicious things. The security team (and vendor-sec) have already decided that they won't address such bugs, only documentation is currently missing. I'm going to send my proposal to the debian-security soon. (The security team was not available for comment so far.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
