Disabling the Suhosin patch by default in Debian Wheezy (Debian Testing)
Omer Zak
w1 at zak.co.il
Sun Feb 26 10:19:00 IST 2012
Very interesting and depressing article.
The general problem is one of securing large software packages.
On one hand, there are optional security patches for the Linux kernel.
Some of them retain their independence for a while. Others get merged
into the stock kernel.
On the other hand, I don't remember seeing similar problems with Perl or
Python. Somehow, they manage to incorporate all security fixes into the
standard interpreters, so there is no need for patches like PHP's
Suhosin.
Why is there a difference among PHP, Linux kernel and Perl/Python
handling of security vulnerabilities?
P.S.: One must remember that the Free Software/Open Source nature of
all those projects allows people to at all develop and apply independent
security patches - something whose absence is overwhelming in ecosystems
like MS-Windows.
--- Omer
On Sun, 2012-02-26 at 04:07 +0200, Baruch Siach wrote:
> Hi Omer,
>
> On Sat, Feb 25, 2012 at 11:21:38PM +0200, Omer Zak wrote:
> > Today, when I upgraded my old PC, which is running Debian Testing
> > (currently Debian Wheezy), I was informed of the following:
> >
> > php5 (5.3.9-4) unstable; urgency=low
> >
> > * The Suhosin patch is now disabled in the default build.
> >
> > If you want to re-enable it again for your installation, you can
> > set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP.
> >
> > -- Ondřej Surý <ondrej at debian.org> Sat, 28 Jan 2012 08:39:36 +0100
> >
> > Does anyone know why did the packers decide to reverse the previous
> > policy of installing PHP5 with the Suhosin patch by default?
>
> See http://lwn.net/Articles/479716/ for the full story.
>
> baruch
>
--
PHP - the language of the Vogons.
My own blog is at http://www.zak.co.il/tddpirate/
My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
More information about the Linux-il
mailing list