[php-maint] PHP security policy review

[Raphael Geissert]

Hi everyone,

While reviewing the security policy for PHP I noticed a few gaps which I think 
are important to address.

At the moment I'd like to propose the following changes, so please comment and 
feel free to propose others:

> --- a/debian/README.Debian.security
> +++ b/debian/README.Debian.security
> @@ -1,10 +1,13 @@
> 
>  the Debian stable security team does not provide security support
> -for certain configurations known to be inherently insecure.  Most
> -specifically, the security team will not provide support for flaws in:
> +for certain configurations known to be inherently insecure.  This
> +includes the interpreter itself, extensions, and code written in the
> +PHP language. Most specifically, the security team will not provide
> +support for flaws in:

To clarify that the policy applies to the interpreter and apps, which is how 
it has been treated so far.

>  - problems which are not flaws in the design of php but can be problematic
> -  when used by sloppy developers (for example, not checking the contents
> -  of a tar file before extracting it).
> +  when used by sloppy developers (for example: not checking the contents
> +  of a tar file before extracting it, using unserialize() on
> +  untrusted data, or relying on a specific value of short_open_tag).

To include unserialize() and ini settings such as short_open_tag. 

If there are no objections, I'm going to include that change in the next 
upload and make it the policy for Squeeze. Unless there's a reason to 
reconsider the policy applying lenny, it won't be updated to squeeze's.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20100629/f2ff2ff2/attachment.pgp>