[gentoo-dev] Last rites: dev-php5/pecl-pdo*

[gentoo-dev] Last rites: dev-php5/pecl-pdo*

[Christian Hoffmann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
# Outdated (no releases since May 2006), buggy and possibly vulnerable
# to security problems
# Masked for removal in 30 days
# replacement: USE="pdo" emerge =dev-lang/php-5*
dev-php5/pecl-pdo
# replacement: USE="pdo sybase mssql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-dblib
# replacement: USE="pdo mysql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-mysql
# replacement: USE="pdo oci8" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-oci
# replacement: USE="pdo odbc" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-odbc
# replacement: USE="pdo pgsql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-pgsql
# replacement: USE="pdo sqlite" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-sqlite

The pdo-external USE flag was already removed from all dev-lang/php-5.2*
ebuilds (through php5_2-sapi.eclass) some days ago, php-5.1* is masked
for removal anyway.

Those external PDO packages do no longer serve any purpose (they are
outdated, upstream does not seem to do any new releases at all) as
php-5.2* includes the same set of features already (same code base,
just more up-to-date).

- -- 
Christian Hoffmann
Gentoo PHP herd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHBQQYJ9KLJlGHWYIRAgxkAJ0VVDQGJ8TII8yMTTA/BLZZI5hgEQCgr3ye
WQgARkVTXpsnn6YlwdYX3cE=
=VS7T
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

On Thursday, 4. October 2007, Christian Hoffmann wrote:
> # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
> # Outdated (no releases since May 2006), buggy and possibly
> vulnerable
> # to security problems 

Anything security-related you know of or just a wild guess?

Robert

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*

[Christian Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 709 bytes --]

On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote:

> On Thursday, 4. October 2007, Christian Hoffmann wrote:
> > # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
> > # Outdated (no releases since May 2006), buggy and possibly
> > vulnerable
> > # to security problems 
> 
> Anything security-related you know of or just a wild guess?
Not exactly a wild guess, I just didn't want to make a statement
on whether these are security problems or not:
  * INFILE LOCAL option handling vs. open_basedir or safe_mode
  * A crash inside pdo_pgsql on some non-well-formed SQL queries
(both from php-5.2.4 ChangeLog)

That's why I said "possibly". :)

-- 
Christian Hoffmann
Gentoo PHP herd

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*

[Robert Buchholz]

Am 08.10.2007 um 10:05 schrieb Christian Hoffmann:

> On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote:
>
>> On Thursday, 4. October 2007, Christian Hoffmann wrote:
>>> # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
>>> # Outdated (no releases since May 2006), buggy and possibly
>>> vulnerable
>>> # to security problems
>>
>> Anything security-related you know of or just a wild guess?
> Not exactly a wild guess, I just didn't want to make a statement
> on whether these are security problems or not:
>   * INFILE LOCAL option handling vs. open_basedir or safe_mode
>   * A crash inside pdo_pgsql on some non-well-formed SQL queries
> (both from php-5.2.4 ChangeLog)

Since the second is only locally invoked* DoS and the first an
ever-beloved workaround for the basedir restriction, we don't
need to say goodbye with a maskglsa.

Thanks,
Robert

* unless someone allows remote users to submit SQL queries... :-)
-- 
gentoo-dev@gentoo.org mailing list