Uncategorized

GLSA – What’s up with PHP?

Okay, this has been bugging me a for a bit, and need to rant. Every night on run the following in cron:


/usr/bin/glsa-check -l --nocolor 'affected'

Everynight, I get an email sent to me with the following:


[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200705-19 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
200610-14 [N] PHP: Integer overflow ( dev-lang/php )
200608-28 [N] PHP: Arbitary code execution ( dev-lang/php )
200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

Okay, this has been bugging me a for a bit, and need to rant. Every night on run the following in cron:


/usr/bin/glsa-check -l --nocolor 'affected'

Everynight, I get an email sent to me with the following:


[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200705-19 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
200610-14 [N] PHP: Integer overflow ( dev-lang/php )
200608-28 [N] PHP: Arbitary code execution ( dev-lang/php )
200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

The part that is bugging me is that PHP is up to date. This has happened in the past where packages have been updated, but GLSA has no idea about that. The problem is that GLSAs are no slot aware apparently. Here is a bug report on the issue:

http://bugs.gentoo.org/show_bug.cgi?id=189968