On Sun, 13 Jan 2008 14:25:36 -0500 (EST) Joshua Baker-LePain <jlb17 at duke.edu> wrote: > On Sun, 13 Jan 2008 at 8:03am, Mark Weaver wrote > > > On Fri, 11 Jan 2008 04:05:56 -0600 > > Johnny Hughes <johnny at centos.org> wrote: > > >> ummm ... the answer is probably never. > >> > >> Red Hat offers a RHWAS ... that has a php5 for EL4. The version of > >> php in there (and in our CentOSPlus repo) is php-5.1.6 ... it might > >> go higher than that, but I doubt it will go to 5.2.x. If it does > >> go there in RHWAS, it will also go there in CentOSPlus, but I > >> would not hold my breath :-D > > > > My question would be, "good god...why?" There are a ton of security > > holes in php5. From experience one of the holes I'm painfully aware > > of is php-cli which installs by default with the rest of php5. > > Even an exteremely brief search of the archives of this list would > turn up tons of similar questions, and the same answer every time -- > Red Hat backports security fixes to the stable version of packages in > their Enterprise distro. That's why, e.g., for it's entire 5 year > supported life, RHEL5 will be based on kernel 2.6.18. However the > base kernel will be heavily patched for security, driver upgrades, > and new hardware support. They treat all packages (including PHP) > similarly. > those patches didn't do much for keeping one of my systems from being breached via php. from the looks of the web server logs as well as the messages log file that's where they got in. being the anul sort I am I first thought they'd breached the system through ssh, but that wasn't the case. Mark