Ok I got it. Looks like we should not worry about warning in OC6. Only one bug currently is not fixed that: php unable to upload files bigger than 2GB over web interface. It is fixed in php 5.4 (OC^ tested tested on Ub12.04LTS). In order to upload files bigger than 2G users can use webdav which allows to upload even 20GB files.
PS On CentOS I am getting something like: rpm -q --changelog php | grep CVE - add security fix for CVE-2013-6420 - add security fix for CVE-2013-4248 - rename patch to math CVE-2010-3709 name - add security fixes for CVE-2006-7243, CVE-2013-1643 - add security fix for CVE-2013-4113 - fix CVE reference in previous changelog entry - remove reproducer from security fix for CVE-2012-0781 - add security fixes for CVE-2012-2688, CVE-2012-0831, CVE-2011-1398 - add security fix for CVE-2010-2950 - fix tests for CVE-2012-2143, CVE-2012-0789 - add fix for CVE-2012-2336 - add security fixes for CVE-2012-0781, CVE-2011-4153, CVE-2012-0057, CVE-2012-0789, CVE-2012-1172, CVE-2012-2143, CVE-2012-2386 - correct detection of = in CVE-2012-1823 fix (#818607) - add security fix for CVE-2012-1823 (#818607) - add security fix for CVE-2012-0830 (#786744) - improve CVE-2011-1466 fix to cover CAL_GREGORIAN, CAL_JEWISH - add security fixes for CVE-2011-2483, CVE-2011-0708, CVE-2011-1148, CVE-2011-1466, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1471, CVE-2011-1938, and CVE-2011-2202 (#740732) - add security fixes for CVE-2011-4885, CVE-2011-4566 (#769755) - add security fixes for CVE-2010-4645, CVE-2010-4156 (#670439) - add security fixes for CVE-2010-3709, CVE-2010-3710, CVE-2010-3870, CVE-2009-5016 (#651953) - add security fixes for CVE-2010-1866, CVE-2010-2094, CVE-2010-1917, CVE-2010-2531, MOPS-2010-060 (#624469) - add security fix for CVE-2010-0397 (#575712) - add security fix for CVE-2010-2225 (#605644) - add security fix for CVE-2009-4142 (#552268) a. On Wed, Mar 12, 2014 at 3:52 PM, R P Herrold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 11 Mar 2014, Stephan F. Schulz wrote: > > > Yes, it would actually be great to know if all relevant php issues are > patched in the latest rhel/centos package. Does somebody know about that? I > guess a lot of people are deploying on rhel/centos 6.5. > > for those not back reading, the comment in the git was: > > @karlitschek I think RHEL backported some bugfixed for PHP but > doesn't increase the version number as it doesn't contain the > bug fixes. Could this be possible? Maybe we should check on > RHEL for a other PHP version as we have tested it on those. > > It IS possible that Red Hat (and thus its rebuilds, including > CentOS) DO backport and only increase Release number, but not > Version number, with bug and security fixes. That is a basic > part of their business model -- long lived stable API with bug > and security fixes > > Comparing on advertised Version numbers, rather than observed > behaviours, or an analysis of that the running php asserts it > has, simply will not well work in Red Hat and derived > Enterprise product space (a more durable approach is listed > later in this email) > > Red Hat addressed the concern of the now quite old php-5.1 > with a 'installs in its place' php53 years ago, and that > version is regularly maintained (as is the prior, but ...) > > With a CVE in hand, one ** can ** programatically check if it > has been addressed, which is a much better way, perhaps to > check such distributions > > [root@xps400 ~]# rpm -q --changelog php53 | grep CVE > - - add security fix for CVE-2013-6420 > - - add security fix for CVE-2013-4248 > - - add security fix for CVE-2013-4113 > - - add security fixes for CVE-2006-7243 > - - add security fixes for CVE-2012-2688, CVE-2012-0831, > CVE-2011-1398, CVE-2013-1643 > - - add security fix for CVE-2010-2950 > - - fix tests for CVE-2012-2143, CVE-2012-0789 > - - add security fix for CVE-2012-2336 > - - add security fixes for CVE-2011-4153, CVE-2012-0057, CVE-2012-0789, > ... > > and so forth. As such when a vulnerability is disclosed, add > its CVE to a blacklist. If that absent from such a changelog > listing (a trivial 'grep -c ' test), the sysadmin probably > needs to update their installation before proceeding to > install owncloud > > - -- Russ herrold > one of the founders of CentOS > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEARECAAYFAlMgdKsACgkQMRh1QZtklkRf8QCeIrr8bgbq7EfapL6nMPjaFiSp > GMQAn3yqZ4fodMByxqe4i+3aHFcxZYLo > =Aw8M > -----END PGP SIGNATURE----- > _______________________________________________ > User mailing list > [email protected] > http://mailman.owncloud.org/mailman/listinfo/user >
_______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
