[CentOS] php 5.1.6 vulnerability in CentosPlus repo

Sun Jul 3 13:11:13 UTC 2011
John R. Dennison <jrd at gerdesas.com>

On Sun, Jul 03, 2011 at 02:29:12PM +0200, Alain Péan wrote:
> 
> 
> So 5.1.6 is the current package on CentOS, at least in base repo, I 
> don't know for CentOSPlus, and your question is totally valid.

The php in base, for both C4 and C5, gets updates.  I've not seen an
update for the C4 plus package since, well, 2008.  This also brings up
the question what stack this package was part of upstream; I'm not able
to locate it in Redhat's mirrors.

> I am not using PHP, so I am not aware of the last vulnerabilities, but 
> you should know that RedHat backports security fixes, and features, from 
> further releases, so the version number is not that informative. See for 
> example this rather old thread (2010) :

They only backport for supported packages.  It appears that this package
may have been orphaned upstream.

> http://forums.whirlpool.net.au/archive/1424743

Returns a 404.




							John

-- 
When there are too many policemen, there can be no liberty.  When there are
too many soldiers, there can be no peace.  When there are too many lawyers,
there can be no justice.

-- Lin Yutang (10 October 1895 - 26 March 1976), Chinese writer and translator,
as quoted in Alexander, James (2005). The World's Funniest Laws. Cheam: Crombie
Jardine. pp. page 6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20110703/0bc68a56/attachment-0005.sig>