[owncloud-user] Why OC6.0.2 brings a warning in php 5.3.3 enviroment?

Wed, 12 Mar 2014 07:53:07 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 11 Mar 2014, Stephan F. Schulz wrote:

> Yes, it would actually be great to know if all relevant php issues are 
> patched in the latest rhel/centos package. Does somebody know about that? I 
> guess a lot of people are deploying on rhel/centos 6.5.

for those not back reading, the comment in the git was:

@karlitschek I think RHEL backported some bugfixed for PHP but 
doesn't increase the version number as it doesn't contain the 
bug fixes. Could this be possible? Maybe we should check on 
RHEL for a other PHP version as we have tested it on those.

It IS possible that Red Hat (and thus its rebuilds, including 
CentOS) DO backport and only increase Release number, but not 
Version number, with bug and security fixes.  That is a basic 
part of their business model -- long lived stable API with bug 
and security fixes

Comparing on advertised Version numbers, rather than observed 
behaviours, or an analysis of that the running php asserts it 
has, simply will not well work in Red Hat and derived 
Enterprise product space (a more durable approach is listed 
later in this email)

Red Hat addressed the concern of the now quite old php-5.1 
with a 'installs in its place' php53 years ago, and that 
version is regularly maintained (as is the prior, but ...)

With a CVE in hand, one ** can ** programatically check if it 
has been addressed, which is a much better way, perhaps to 
check such distributions

[root@xps400 ~]# rpm -q --changelog php53 | grep CVE
- - add security fix for CVE-2013-6420                
- - add security fix for CVE-2013-4248                
- - add security fix for CVE-2013-4113                
- - add security fixes for CVE-2006-7243              
- - add security fixes for CVE-2012-2688, CVE-2012-0831,
  CVE-2011-1398, CVE-2013-1643
- - add security fix for CVE-2010-2950
- - fix tests for CVE-2012-2143, CVE-2012-0789
- - add security fix for CVE-2012-2336
- - add security fixes for CVE-2011-4153, CVE-2012-0057, CVE-2012-0789,
 ...

and so forth.  As such when a vulnerability is disclosed, add 
its CVE to a blacklist.  If that absent from such a changelog 
listing (a trivial 'grep -c ' test), the sysadmin probably 
needs to update their installation before proceeding to 
install owncloud

- -- Russ herrold
        one of the founders of CentOS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlMgdKsACgkQMRh1QZtklkRf8QCeIrr8bgbq7EfapL6nMPjaFiSp
GMQAn3yqZ4fodMByxqe4i+3aHFcxZYLo
=Aw8M
-----END PGP SIGNATURE-----
_______________________________________________
User mailing list
[email protected]
http://mailman.owncloud.org/mailman/listinfo/user

Reply via email to