[Secure-testing-team] Bug#587536: phpldapadmin: ships Apache configuration setting PHP register_globals On
Thijs Kinkhorst
thijs at debian.org
Tue Jun 29 15:14:23 UTC 2010
Package: phpldapadmin
Version: 1.2.0.5-1
Severity: serious
Tags: security
Justification: requiring rg on not supported by security team
Hi,
The file debian/conf/apache.conf sets PHP's register_globals setting to On:
php_flag register_globals On
The Debian Security Team does not support configurations that require this
dangerous setting to be on. For the record, the setting has defaulted to
off in PHP since years and has been deprecated by PHP upstream.
I cannot find a requirement in the upstream documentation that this
setting needs to be on, so probably it can just be removed from the
shipped config file.
Cheers,
Thijs
-- System Information:
Debian Release: 5.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the Secure-testing-team
mailing list