atomic-php52

Support/Development for PHP
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

atomic-php52

Unread post by Imaging »

Are the atomic-php52 scl packages up-to-date security wise?

We had them installed on a test box but haven't seen an update in awhile so was curious if all applicable security patches to date have been applied.

On a related note, is it possible to get an atomic-php52-suhosin package?

Thanks.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: atomic-php52

Unread post by scott »

They're coming up on a refresh cycle in the next sprint. One thing there about the vulnerability cycle, basically all the security research out there isnt looking at php 5.2 at all. 5.1 and 5.3 get a little bit of scrutiny because of redhat, but otherwise there is no research that I have found that is looking at 5.2. What we do is look at reported vulnerabilities across all versions and determine if they apply.
Imaging
Forum Regular
Forum Regular
Posts: 346
Joined: Sat Sep 25, 2010 2:46 pm

Re: atomic-php52

Unread post by Imaging »

Thanks.

Perhaps the CloudLinux folks might have some research done with 5.2.x.

Recently ran across:

https://www.cloudlinux.com/about/hardenedphp.php

which I think is relatively new from them.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: atomic-php52

Unread post by scott »

Yeah thats really the same thing here. In the grander scheme of things, vulnerability research in this kind of scenario really based on looking at a reported issue on a newer version (like 5.6 for example, where there was no older research), and evaluating if it has context.

If the vulnerability applies in a component in 5.6 that does not exist in 5.2 you can rule it out right away. Example, mysqlnd (native driver). This doesnt exist in 5.2 so the newer research doesnt have any context.

Sometimes the component hasnt changed at all, so its a straight comparison and backport. This is not terribly common with 5.2 these days

The last case is the feature does exist but has changed so considerably that any PoC exploit doesnt work so you have to do new research to vet the issue against the older code base. That can take a while, and as often as not yields a situation where the vulnerability does not apply.
Post Reply