GLSA - What's up with PHP?

Okay, this has been bugging me a for a bit, and need to rant. Every night on run the following in cron:

/usr/bin/glsa-check -l --nocolor 'affected'

Everynight, I get an email sent to me with the following:

[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200705-19 [N] PHP: Multiple vulnerabilities ( dev-lang/php )
200610-14 [N] PHP: Integer overflow ( dev-lang/php )
200608-28 [N] PHP: Arbitary code execution ( dev-lang/php )
200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php )

The part that is bugging me is that PHP is up to date. This has happened in the past where packages have been updated, but GLSA has no idea about that. The problem is that GLSAs are no slot aware apparently. Here is a bug report on the issue:

Wow.. that was originally published in 2007. Also, that was a problem GLSA which was later addressed. That was the point.. it was stating that the current PHP was vulnerable.. not the 'old' versions.

Sorry about the PITA... posting is optional

Just remove the old versions of PHP that are vulnerable. Why keep them installed?

If you do need those old versions then you should update them.


equery list -i php

remove any that are no longer in use.

(btw, creating an account just to comment is a PITA)