Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote: On Thursday, 4. October 2007, Christian Hoffmann wrote: # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems Anything security-related you know of or just a wild guess? Not exactly a wild guess, I just didn't want to make a statement on whether these are security problems or not: * INFILE LOCAL option handling vs. open_basedir or safe_mode * A crash inside pdo_pgsql on some non-well-formed SQL queries (both from php-5.2.4 ChangeLog) That's why I said possibly. :) -- Christian Hoffmann Gentoo PHP herd signature.asc Description: PGP signature
Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
Am 08.10.2007 um 10:05 schrieb Christian Hoffmann: On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote: On Thursday, 4. October 2007, Christian Hoffmann wrote: # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems Anything security-related you know of or just a wild guess? Not exactly a wild guess, I just didn't want to make a statement on whether these are security problems or not: * INFILE LOCAL option handling vs. open_basedir or safe_mode * A crash inside pdo_pgsql on some non-well-formed SQL queries (both from php-5.2.4 ChangeLog) Since the second is only locally invoked* DoS and the first an ever-beloved workaround for the basedir restriction, we don't need to say goodbye with a maskglsa. Thanks, Robert * unless someone allows remote users to submit SQL queries... :-) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
On Thursday, 4. October 2007, Christian Hoffmann wrote: # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems Anything security-related you know of or just a wild guess? Robert signature.asc Description: This is a digitally signed message part.
[gentoo-dev] Last rites: dev-php5/pecl-pdo*
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems # Masked for removal in 30 days # replacement: USE=pdo emerge =dev-lang/php-5* dev-php5/pecl-pdo # replacement: USE=pdo sybase mssql emerge =dev-lang/php-5* dev-php5/pecl-pdo-dblib # replacement: USE=pdo mysql emerge =dev-lang/php-5* dev-php5/pecl-pdo-mysql # replacement: USE=pdo oci8 emerge =dev-lang/php-5* dev-php5/pecl-pdo-oci # replacement: USE=pdo odbc emerge =dev-lang/php-5* dev-php5/pecl-pdo-odbc # replacement: USE=pdo pgsql emerge =dev-lang/php-5* dev-php5/pecl-pdo-pgsql # replacement: USE=pdo sqlite emerge =dev-lang/php-5* dev-php5/pecl-pdo-sqlite The pdo-external USE flag was already removed from all dev-lang/php-5.2* ebuilds (through php5_2-sapi.eclass) some days ago, php-5.1* is masked for removal anyway. Those external PDO packages do no longer serve any purpose (they are outdated, upstream does not seem to do any new releases at all) as php-5.2* includes the same set of features already (same code base, just more up-to-date). - -- Christian Hoffmann Gentoo PHP herd -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHBQQYJ9KLJlGHWYIRAgxkAJ0VVDQGJ8TII8yMTTA/BLZZI5hgEQCgr3ye WQgARkVTXpsnn6YlwdYX3cE= =VS7T -END PGP SIGNATURE-
