[Secure-testing-team] register_globals on is not supported
Nico Golde
debian-secure-testing+ml at ngolde.de
Tue Dec 23 14:05:31 UTC 2008
Hi,
* Giuseppe Iuculano <giuseppe at iuculano.it> [2008-12-23 14:50]:
> Thijs Kinkhorst ha scritto:
> > As it seems, upstream does already support running in register_globals=0 mode
> > for a long time (according to their changelog since 2002...). Therefore I
> > guess this bug would be fixed if the statement turning register_globals on
> > was removed from the Apache configuration file. Of course this does need some
> > thorough testing.
> >
> > When doing that, including the fix from this bug report aswell is a good idea
> > since it can't hurt and will provide some extra protection for those running
> > unsafe setups.
>
> Upstream released a new version to fix this issue. In attachment the debdiff for
> stable/testing/unstable with the trivial backported patch[1], and
> register_globals off (not in stable).
>
> I also tested phppgadmin with register_globals off, and I didn't find any
> evidently problems.
>
> I'm not a DD, so these need a review and an upload.
I take care of sponsoring the upload for unstable. For
stable security the version looks wrong to me, please use
4.0.1-3.1etch1.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/20665030/attachment.pgp
More information about the Secure-testing-team
mailing list