[php-maint] Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade

Christoph Anton Mitterer calestyo at scientia.net
Sat Mar 23 00:05:20 UTC 2013

Source: php5
Version: 5.4.4-15
Severity: important
Tags: security


I just noted by chance on an upgrade, that the following files were automatically added back
Only in /etc/php5/cgi/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/cgi/conf.d: 20-pgsql.ini
Only in /etc/php5/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/conf.d: 20-pgsql.ini
which I've had disabled before.

IMHO that shouldn't happen... actually I think, that it would even be better, if _no_
modules are automatically loaded... auto-magic stuff is nice for out-of-the-box games,
but not for serious and secure administration :) ... perhaps a release goal for jessie?! ;)

I mark this as important/security, as unintentionally enabling a module in the "global" /etc/php5/conf.d
could be an issue if that is e.g. security critical and was intentionally only enabled in e.g.
SSL client auth secured URI spaces.


More information about the pkg-php-maint mailing list