a quick introduction: i'm one of the folks maintaining the debian
php4/php5 packages. we're currently on the cusp of cutting a new stable
release "etch" (funny, i'd *swear* we've been saying that since
december...), which will include the second-to-most-recent releases of
4.4.x and 5.2.x with the security fixes from the most recent releases
my first question: do you have a designated person/list for security
related issues? it looks like i ended up becoming "point guy" for
tackling the various security issues that come up from time to time, and
it'd be nice if we could establish some lines of communication.
specifically it would be nice to have someone to contact when a new
vulnerability is reported who could point me at the relevant
files/changesets for specific fixes so i don't have to spend an evening
digging through CVS logs :)
as i mentioned, the latest version of php5 in etch includes a bunch of
fixes backported from the 5.2.1 release, but i believe that there are
good number of the mopb issues that either were not fixed in 5.2.1 or
were fixed but not backported by us. i'll probably start sending emails
here (or to whoever steps up as a contact point) with questions in the
near future for some of them. however, most pressing is mopb #44:
the (long) cast mm bug. i think i've found the relevant fix, but i
could use a verification from someone here as a quick sanity check:
is that it?
ps - as per the list guidelines i'm not digitally signing this email
with my pgp/gpg key. but if you need it, my keyid is 0x6e76d81d.