We are working on php4 updates but we are not able to release them before the second week of january since most developers and testers are not available.
Ho-hum. It might have been wise to allow for vulnerabilities that get discovered during holidays. Worms don't usually keep track of people's vacations.
Yes.
The SANTY.A worm itself spreads using a phpBB (a php forum software) vulnerability, not by a bug in php4.
Ahem! Marcus, that is most definitely not true. I refer you to
This exact worm does. I stand corrected. Other worms might already exploit the php vulnerabilities, true. I am follwoing the full-disclosure and bugtraq lists and currently no worm that exploits those directly has been reported in my reading.
http://www.php.net/release_4_3_10.php
where is adamantly stated "All Users of PHP are strongly encouraged to upgrade to this release as soon as possible". Seven CVE entries are fixed with this. Furthermore, newer worms attack PHP itself, not per se phpBB:
Yes, but we did not want to give you an untested update that will cause more work on your and our side before christmas.
PhpBB was the first symptom, but php has the vulnerability.
Yes. I expect we are going to see more of those. There are also still lots of php based projects out which are unsufficiently audited. As for the php updates, we really wanted them to go out before Christmas, but there was pretty much confusion about patches and additional fixes and also reduced QA power due parallel kernel and samba problems. Ciao, Marcus