Hi Bob, On 11/04/2013 3:26 AM, Bob Proulx wrote: > Andrew McGlashan wrote: >> Now, php5-suhosin provides some real protection against programming >> problems that could very easily exist and it is not uncommon to see >> messages from Debian stable installs reporting bugs / vulnerabilities >> detected by suhosin.... > > The question isn't whether the suhosin patch did good with older PHP > versions. The question is whether newer PHP versions benefit as much > from it. Because in recent years AIUI many of the features of suhosin > were merged into the mainline PHP. And supporting suhosin isn't easy. > At least some other distros have also stopped supporting it too. I understand that Ubuntu have 12.10 locked in on 5.3.9 because of lack of Suhosin patch / support. Don't know what later Ubuntu will be doing. >> Will php5-suhosin be re-instated any time soon? And if not, what >> measures can we take to protect Wheezy servers now? > > Here is a good place to read up on the current state of PHP plus > suhosin in Debian. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698 > > It is a long thread with a lot of references to research. Grab a > comfortable chair and a stimulating beverage. Great, thank you very much for your post and the reference. To cut a long story short, if PHP upstream has incorporated the features of Suhosin, then we should be fine; is it the final conclusion from that long thread and all the references from it, that we are in good shape with 5.4.4 -- better than pre 5.4 with Suhosin? Thanks. AndrewM
Attachment:
signature.asc
Description: OpenPGP digital signature