Thanks for the additional info, Micah. Looking at that log, it's clear
that the security updates/patches already available do handle the
*actual* security issues that PHP 5.3.6 addresses.
What it doesn't do is change the server's response header; the automated
PCI compliance test simply parses
It appears that listing this request as a Security vulnerability is
incorrect; backporting 5.3.6 would not necessarily fix any security
issues not already fixed via patches to 5.3.5, unless perhaps 5.3.6
already has the CVE-2011-2202 rfc1867_post_handler fix scheduled for
5.3.7. I cannot see a way
*** This bug is a security vulnerability ***
Public security bug reported:
PHP 5.3.6-13ubuntu1 is listed in oneiric; 5.3.5 is latest for natty.
http://www.php.net/ says that 5.3.6 fixes at least half a dozen security
issues... some of which are causing automated PCI compliance testing
(set public visibility because issues are well-known; already disclosed
and fixed.) I will do my best to help test; just switched from FreeBSD
to Ubuntu, so I'm still getting the hang of this package management
scheme.
--
You received this bug notification because you are a member of Ubuntu