Hi, On Wednesday 23 May 2007 08:25, sean finney wrote: > hey guys, > > just ftr, > > On Tuesday 22 May 2007 10:41, Ondřej Surý wrote: > > > so I'm not that enthousiastic. But I'll do some more research and > > > experimenting with this patch and a set of PHP applications, and see > > > whether it's something to worry about or not. > > > > I suggest you read the patch :-). > > i've have actually heard of different breakages caused by the suhosin > patch, but it seems that in such cases it's usually a matter of tweaking > some variables here and there to increase certain limits, etc. also, > there's a master toggle switch which turns errors into warnings.
Since I'm one of the php-suhosin maintainers, I can confirm, that with restrictive (some of the defaults settings seems to restrictive for some applications) settings some applications doesn't work smart anymore, but this will leed us into the problem, that most of the applications are bad written (like PHP anyways). > so, we could hypothetically ship with it turned off first to see how it's > recieved, and then assuming we're still early enough in the release cycle > we could turn it on and ship lenny with an active, suhosin-patched php. Looking into the feature list[¹], the patch for PHP provides only the "Engine Protection" with the following features: * Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection * Protects Destructors of Zend Hashtables * Protects Destructors of Zend Linked-Lists * Protects the PHP core and extensions against format string vulnerabilities * Protects against errors in certain libc realpath() implementations The rest of the feature set is provided by php-suhosin[²]. With kind regards, Jan. [¹] http://www.hardened-php.net/suhosin/a_feature_list.html [²] http://packages.qa.debian.org/p/php-suhosin.html -- Never write mail to <[EMAIL PROTECTED]>, you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++ ------END GEEK CODE BLOCK------
pgpe6rtiTknRc.pgp
Description: PGP signature
