Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Nov 2016 19:40:12 +0000
From: Ben Tasker <ben@...tasker.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: WordPress (all versions): SPOF, RCE, and Negligence

Hi Michael,

On 21 Nov 2016 18:45, "Michael Babker" <michael.babker@...il.com> wrote:
>
>
> While I can somewhat understand why the Linux distributions choose the
> model they use for their "long term support" packages, it honestly does a
> disservice to those of us who now have to defensively code around it.  We
> can no longer rely on a package's version to accurately represent the
state
> of the code base.

I agree, and truth be told I think there's some ground to be given on
either side.

There are good reasons for using stable distros, but as you say it makes it
very hard to build something when you can't rely on version numbers to
identify patch levels.

>
> I was Joomla's release lead at the time this decision was made.  We did
not
> arbitrarily choose a PHP version number, arbitrarily locking out vendor
> modified PHP builds distributed with the LTS distros, just because we
> wanted to.

Sorry, didn't mean to make it sound like it was arbitrary. I know the
reasoning was based on available functionality vs required fuctionality.

> While I understand where you are coming from, to be quite frank, I don't
> believe the PHP ecosystem and its major players can continue to cater to
> these modified PHP builds as might have been expected in years past.

The problem is that these builds still constitute the majority of your
target market. It'll start to improve for a while due to Jessie and CentOS7
having a higher version, but as those approach EOL the same issue will
probably come up again.

The average user who just buys hosting doesn't have an awful lot of control
over what the hosts run either (though things do actually seem to be
improving in this regard)

I don't have a good answer as to what the solution is. There're very good
reasons for the LTS approach, but you're right about it being a  untenable
position.

I am inclined to think it should be down to the distros to find a
resolution for, whether through exposing a reliable means to check
functionality level or some other means

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.