sean finney wrote: > was the regression introduced by the security upload, or was it just > generally > a problem with 5.2.0? as far as i knew it was the latter... ?
No - the problem was introduced by Etch+3. There's a security patch that supposedly fixes handling of nulls in strip_tags() -- which introduces this regression. I think it was the initial patch that the PHP folk put together, and then later fixed up. The debian package has the initial patch with the regression, but not the subsequent fixup. > the unofficial packages have all of the recent security vulnerabilities in > them as well, so i don't think it's so bad to have to use them. and as far > as the next point release goes, it should be Real Soon Now. I don't know how soon is RSN -- I hope it's Really RSN so we don't have to worry ;-) -- but Etch has a working unsafe PHP, while Etch+security has a broken PHP. Re unofficial packages, all I can say is THANKS, but... I am sure 90% of the sysadmins looking after Etch boxes with PHP installed in production don't know there's even a problem. Users will lose data, complain, and after much pain and dataloss eventually clued-up sysadmins will read this bug and find your packages. Having it fixed in security.d.o makes a lot more sense... cheers, m -- ----------------------------------------------------------------------- Martin @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington WEB: http://catalyst.net.nz/ PHYS: Level 2, 150-154 Willis St OFFICE: +64(4)916-7224 UK: 0845 868 5733 ext 7224 MOB: +64(21)364-017 Make things as simple as possible, but no simpler - Einstein ----------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
