Hello there,
I'm new, if this isn't the right way to do this, I apologize.
I'm having a problem with a particular ASV as they are of an opinion that PHP version 5.3.x is vulnerable to CVE-2011-0755:
https://access.redhat.com/security/cve/CVE-2011-0755
Regardless of Red Hat's take on the issue, the ASV has refused to accept the appeal. I am currently in the process of appealing again, but if it comes back denied I need some form of recourse.
I am not in the habit of compiling and installing packages willy nilly. Considering this system is not my own but a customer's PCI based system, installing from source would simply create another issue of having to support it and keep it updated outside of automated means.
I've reviewed a few posts regarding 5.4 and did see where someone mentioned it being in testing. However, the testing repo didn't list it when I last checked (this morning) so I was wondering what the status of getting 5.4 ready for release to at least one of the repos so I can begin testing/vetting it.
I really appreciate any suggestions, status updates, or advice!
PHP 5.4 revisited
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: PHP 5.4 revisited
PHP 5.4.x isnt in testing (it is in ASL however, so I know what is required to support it). That being said, according to the errata from redhat they are saying:
1) we do not agree with the CVE (note, just because something is in CVE does not necessarily mean its actually a vulnerability. Its a subjective system, and those of us on the development side dont have to take their word for it)
2) We're not going to fix it. At least as of THAT errata, its entirely possible that it has been fixed in later errata. I dont know on this point, since I havent checked.
So better question here, did PHP respond to this? Presumably it was fixed in PHP 5.3.4 (it would indicate such in the CVE, but again those are not canon.), and if so there are PHP 5.3.18 packages in atomic now.
1) we do not agree with the CVE (note, just because something is in CVE does not necessarily mean its actually a vulnerability. Its a subjective system, and those of us on the development side dont have to take their word for it)
2) We're not going to fix it. At least as of THAT errata, its entirely possible that it has been fixed in later errata. I dont know on this point, since I havent checked.
So better question here, did PHP respond to this? Presumably it was fixed in PHP 5.3.4 (it would indicate such in the CVE, but again those are not canon.), and if so there are PHP 5.3.18 packages in atomic now.
Re: PHP 5.4 revisited
I'm sorry, I totally got confused after dealing with all the different versions.
Somehow I got hinged on 5.4 and I didn't need to be.
Thanks for clearing that up. This topic can be closed/deleted.
Somehow I got hinged on 5.4 and I didn't need to be.
Thanks for clearing that up. This topic can be closed/deleted.