Hi Ken,
> It looks like the BQ php is 4.3.9
>
> It seems like that is a vulnerible version:
> http://us3.php.net/releases/4_4_1.php
>
> Am I right about that?
A "naked" and unmodified PHP-4.3.9 would indeed be vulnerable to a lot of
things. But the PHP that's used by CentOS BlueQuartz is not a stock and
unmodified PHP-4.3.9. On a fully yum updated box it should be along the lines
of "php-4.3.9-3.22.5", where the release number 3.22.5 indicates the
patchlevel.
I don't have the SRPM for php-4.3.9-3.22.5, but the SRPM for php-4.3.9-3.22.4
has about 70 patch files inside and the *.spec file contains a very long list
of vulnerabilities that were fixed and also shows the related CVE numbers of
these vulnerabilities.
With that the CentOS team follows the same practice that many other OS vendors
do: During the service live of a certain OS release they try to keep the
version number of all installed RPMs the same, but release patched versions
of the same RPMs whenever a vulnerability is detected.
--
With best regards,
Michael Stauber
http://www.solarspeed.net