[php-maint] Bug#336645: PHP 4.4.1 fixes security bugs
Steve Langasek
vorlon at debian.org
Tue Nov 1 07:31:47 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Oct 31, 2005 at 07:14:55PM +0100, Florian Weimer wrote:
> Package: php4
> Tags: security
> Severity: grave
> The Hardened-PHP project has disclosed several security
> vulnerabilites:
> <http://www.hardened-php.net/advisory_182005.77.html>
> <http://www.hardened-php.net/advisory_192005.78.html>
> <http://www.hardened-php.net/advisory_202005.79.html>
> <http://www.hardened-php.net/globals-problem>
> The "globals problem" appears to be somewhat nasty. It is not clear
> if it applies to stable's 4.3.10 version because the security feature
> which turned out to be buggy was introduced in 4.3.11, according to
> the fourth link above. (Maybe PHP before 4.3.11 is vulnerable to some
> other issue; I don't know.)
The globals problem described does apply to php 4.3.10.
However, in reading over the description of the vulnerabilities, I don't
really see any grounds for regarding these as grave securty bugs. The most
severe of these problems, 202005.79, only has a significant impact when
register_globals is set in the PHP environment -- a setting which has been
strongly deprecated for quite some time, and which is disabled by default in
sarge. There is a *lot* of PHP application code that is vulnerable to XSS
or remote injection attacks when run with register_globals on, or which does
stupid things with manually registering request variables as global
variables; I'm not convinced that this warrants a grave bug against PHP...
- --
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDZxnjKN6ufymYLloRAlbzAJ9WEN3VAYDovKNzoW5RyTHxuMy38QCgv49I
CrTe7FA6zS0K22ZHRjk+P24=
=8OyH
-----END PGP SIGNATURE-----
More information about the pkg-php-maint
mailing list