On Sun, 13 Jan 2008 14:25:36 -0500 (EST) Joshua Baker-LePain jlb17@duke.edu wrote:
On Sun, 13 Jan 2008 at 8:03am, Mark Weaver wrote
On Fri, 11 Jan 2008 04:05:56 -0600 Johnny Hughes johnny@centos.org wrote:
ummm ... the answer is probably never.
Red Hat offers a RHWAS ... that has a php5 for EL4. The version of php in there (and in our CentOSPlus repo) is php-5.1.6 ... it might go higher than that, but I doubt it will go to 5.2.x. If it does go there in RHWAS, it will also go there in CentOSPlus, but I would not hold my breath :-D
My question would be, "good god...why?" There are a ton of security holes in php5. From experience one of the holes I'm painfully aware of is php-cli which installs by default with the rest of php5.
Even an exteremely brief search of the archives of this list would turn up tons of similar questions, and the same answer every time -- Red Hat backports security fixes to the stable version of packages in their Enterprise distro. That's why, e.g., for it's entire 5 year supported life, RHEL5 will be based on kernel 2.6.18. However the base kernel will be heavily patched for security, driver upgrades, and new hardware support. They treat all packages (including PHP) similarly.
those patches didn't do much for keeping one of my systems from being breached via php. from the looks of the web server logs as well as the messages log file that's where they got in.
being the anul sort I am I first thought they'd breached the system through ssh, but that wasn't the case.
Mark