* [gentoo-dev] Last rites: dev-php5/pecl-pdo*
@ 2007-10-04 15:17 Christian Hoffmann
2007-10-08 3:37 ` Robert Buchholz
0 siblings, 1 reply; 4+ messages in thread
From: Christian Hoffmann @ 2007-10-04 15:17 UTC (permalink / raw
To: gentoo-dev, gentoo-dev-announce
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
# Outdated (no releases since May 2006), buggy and possibly vulnerable
# to security problems
# Masked for removal in 30 days
# replacement: USE="pdo" emerge =dev-lang/php-5*
dev-php5/pecl-pdo
# replacement: USE="pdo sybase mssql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-dblib
# replacement: USE="pdo mysql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-mysql
# replacement: USE="pdo oci8" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-oci
# replacement: USE="pdo odbc" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-odbc
# replacement: USE="pdo pgsql" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-pgsql
# replacement: USE="pdo sqlite" emerge =dev-lang/php-5*
dev-php5/pecl-pdo-sqlite
The pdo-external USE flag was already removed from all dev-lang/php-5.2*
ebuilds (through php5_2-sapi.eclass) some days ago, php-5.1* is masked
for removal anyway.
Those external PDO packages do no longer serve any purpose (they are
outdated, upstream does not seem to do any new releases at all) as
php-5.2* includes the same set of features already (same code base,
just more up-to-date).
- --
Christian Hoffmann
Gentoo PHP herd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFHBQQYJ9KLJlGHWYIRAgxkAJ0VVDQGJ8TII8yMTTA/BLZZI5hgEQCgr3ye
WQgARkVTXpsnn6YlwdYX3cE=
=VS7T
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
2007-10-04 15:17 [gentoo-dev] Last rites: dev-php5/pecl-pdo* Christian Hoffmann
@ 2007-10-08 3:37 ` Robert Buchholz
2007-10-08 8:05 ` Christian Hoffmann
0 siblings, 1 reply; 4+ messages in thread
From: Robert Buchholz @ 2007-10-08 3:37 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 292 bytes --]
On Thursday, 4. October 2007, Christian Hoffmann wrote:
> # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
> # Outdated (no releases since May 2006), buggy and possibly
> vulnerable
> # to security problems
Anything security-related you know of or just a wild guess?
Robert
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
2007-10-08 3:37 ` Robert Buchholz
@ 2007-10-08 8:05 ` Christian Hoffmann
2007-10-08 11:12 ` Robert Buchholz
0 siblings, 1 reply; 4+ messages in thread
From: Christian Hoffmann @ 2007-10-08 8:05 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 709 bytes --]
On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote:
> On Thursday, 4. October 2007, Christian Hoffmann wrote:
> > # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
> > # Outdated (no releases since May 2006), buggy and possibly
> > vulnerable
> > # to security problems
>
> Anything security-related you know of or just a wild guess?
Not exactly a wild guess, I just didn't want to make a statement
on whether these are security problems or not:
* INFILE LOCAL option handling vs. open_basedir or safe_mode
* A crash inside pdo_pgsql on some non-well-formed SQL queries
(both from php-5.2.4 ChangeLog)
That's why I said "possibly". :)
--
Christian Hoffmann
Gentoo PHP herd
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
2007-10-08 8:05 ` Christian Hoffmann
@ 2007-10-08 11:12 ` Robert Buchholz
0 siblings, 0 replies; 4+ messages in thread
From: Robert Buchholz @ 2007-10-08 11:12 UTC (permalink / raw
To: Christian Hoffmann; +Cc: gentoo-dev
Am 08.10.2007 um 10:05 schrieb Christian Hoffmann:
> On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote:
>
>> On Thursday, 4. October 2007, Christian Hoffmann wrote:
>>> # Christian Hoffmann <hoffie@gentoo.org> (04 Oct 2007)
>>> # Outdated (no releases since May 2006), buggy and possibly
>>> vulnerable
>>> # to security problems
>>
>> Anything security-related you know of or just a wild guess?
> Not exactly a wild guess, I just didn't want to make a statement
> on whether these are security problems or not:
> * INFILE LOCAL option handling vs. open_basedir or safe_mode
> * A crash inside pdo_pgsql on some non-well-formed SQL queries
> (both from php-5.2.4 ChangeLog)
Since the second is only locally invoked* DoS and the first an
ever-beloved workaround for the basedir restriction, we don't
need to say goodbye with a maskglsa.
Thanks,
Robert
* unless someone allows remote users to submit SQL queries... :-)
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-10-08 11:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-04 15:17 [gentoo-dev] Last rites: dev-php5/pecl-pdo* Christian Hoffmann
2007-10-08 3:37 ` Robert Buchholz
2007-10-08 8:05 ` Christian Hoffmann
2007-10-08 11:12 ` Robert Buchholz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox