On 7/12/10 6:22 AM, Ferenc Kovacs wrote: > On Sat, Jul 10, 2010 at 11:52 PM, Rasmus Lerdorf <ras...@lerdorf.com> wrote: >> On 7/10/10 2:32 PM, Reindl Harald wrote: >>> Why there are no point releases for security-bugs? >>> >>> The changelog form 5.3.2 to 5.3.3 RCx shows many >>> security releases which are well known in the meantime >>> >>> It's VERY bad to schedule thmen always only with >>> the normal bugfixes and also on production servers >>> it can not be recommended to backport them by the admin >>> >>> So why there is no 5.3.2.1 which only fixes them? >> >> None of the security issues are serious remotely exploitable ones. They >> are all local. >> > > You mean that there will be security fix release shipped ASAP if a > remote exploit goes public?
Of course. > Or why is it important that the current "0day" exploits are local only? Because local exploits are obviously less serious. Most serious sites do not have untrusted people writing code right on their hosting servers. Even for small sites, you can get your own VM from Rackspace Cloud for about $10/month or from linode or any number of providers where you are not sharing your PHP environment with anyone. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
