[php-maint] PHP security policy review
Raphael Geissert
geissert at debian.org
Wed Jun 30 01:37:40 UTC 2010
Hi everyone,
While reviewing the security policy for PHP I noticed a few gaps which I think
are important to address.
At the moment I'd like to propose the following changes, so please comment and
feel free to propose others:
> --- a/debian/README.Debian.security
> +++ b/debian/README.Debian.security
> @@ -1,10 +1,13 @@
>
> the Debian stable security team does not provide security support
> -for certain configurations known to be inherently insecure. Most
> -specifically, the security team will not provide support for flaws in:
> +for certain configurations known to be inherently insecure. This
> +includes the interpreter itself, extensions, and code written in the
> +PHP language. Most specifically, the security team will not provide
> +support for flaws in:
To clarify that the policy applies to the interpreter and apps, which is how
it has been treated so far.
> - problems which are not flaws in the design of php but can be problematic
> - when used by sloppy developers (for example, not checking the contents
> - of a tar file before extracting it).
> + when used by sloppy developers (for example: not checking the contents
> + of a tar file before extracting it, using unserialize() on
> + untrusted data, or relying on a specific value of short_open_tag).
To include unserialize() and ini settings such as short_open_tag.
If there are no objections, I'm going to include that change in the next
upload and make it the policy for Squeeze. Unless there's a reason to
reconsider the policy applying lenny, it won't be updated to squeeze's.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20100629/f2ff2ff2/attachment.pgp>
More information about the pkg-php-maint
mailing list