May is the month of PHP security

According to Stefan Esser, author of the Suhosin patch, May 2010 will be the “Month of PHP Security” :

This initiative continues the effort of Hardened-PHP’s Month of PHP Bugs in 2007 to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications on the one hand and on the other hand by publishing articles and tools that help PHP application developers to develop more secure PHP applications.

You’ll find more information on the MoPS website and you can follow its twitter account to discover each vulnerability as soon as it’s reported.

4 replies on “May is the month of PHP security”

I love what you’re doing here but I noticed an issue, the package contains an old version of libxml and it’s broken things like magpie and simplepie ..

Any way this can be compiled against a newer libxml?

It shows version 2.6.32 which is quite outdated..

@Loonie Waugh : the problem is the same as with MySQL libraries. Building PHP against another libxml will lead to conflicts, duplicate symbols and then segfaults as soon as Apache is invoked, since it’s build against libxml too.

And I won’t take the risk of backporting a newer libxml2. It would impact DNS resolving, Apache and so on…

Sorry. Squeeze is near, be patient.

I had tried upgrading to the current 5.3 release which did in fact correct the RSS issues that we were seeing, but it also broke many things.

Squeeze is based on 5.3 isn’t it? the problem I have is that I run a web server that hosts a couple hundred client sites, most of which are PHP/MySQL .. so I have to be cautious what I do. The upgrade to the dotdeb 5.2.12 ( and now 13 ) was because of a PCI compliance issue.

The only issue I have currently is the issue with RSS feeds being broken due to the old libxml.. a major upgrade is always frightening 🙂

Comments are closed.