[php-maint] Re: Bug#336645: PHP 4.4.1 fixes security bugs

Allard Hoeve allard at byte.nl
Thu Nov 24 16:58:07 UTC 2005


Dear PHP Maintainers, Florian,

* Florian Weimer:

> * Steve Langasek:
>
> > However, in reading over the description of the vulnerabilities, I don't
> > really see any grounds for regarding these as grave securty bugs.  The most
> > severe of these problems, 202005.79, only has a significant impact when
> > register_globals is set in the PHP environment -- a setting which has been
> > strongly deprecated for quite some time, and which is disabled by default in
> > sarge.
>
> I think it's boils down to whether Debian wants to offer security
> support for register_globals=on configurations.  So far, I assumed the
> answer is "yes".  I don't mind changing it to a "no" for practical
> reasons, but this has to be documented somewhere (like the lack of
> "safe mode" security support, ahem).

Following up on this. Is there a place where you keep documented what
settings you do and what settings you do not support and why?

It might be useful to users to know what kind of security support is
offered by the Debian PHP Maintainers and it would probably save you a lot
of questions. Or otherwise you could just point to the policy and close
the bug.

Following the same rationale, it might also be useful to add a section
about supported modules and whatnot in this hypothetical document.

And yes, I'm offering my help in drafting the document as well.

Regards,

Allard Hoeve



More information about the pkg-php-maint mailing list