Hi Thijs,
On 2012-04-08 13:16, Thijs Kinkhorst wrote:
On Sun, April 8, 2012 18:31, Filipus Klutiero wrote:
Package: php5-common
Version: 5.4.1~rc1-1
Severity: normal
README.Debian.security starts:
The Debian stable security team does not provide security support for
certain configurations known to be inherently insecure. This includes
the interpreter itself, extensions, and user scripts written in the PHP
language.
This is at least most unclear. How would the PHP interpreter be a
configuration known to be inherently insecure?
If I add "features in", does it get clear to you what's meant?
| The Debian stable security team does not provide security support for
| certain configurations known to be inherently insecure. This includes
| features in the interpreter itself, extensions, and user scripts written
| in the PHP language. Most specifically, but not exclusively, the
| security team will not provide support for the following.
I'm not sure. This raises the question "Are features configurations?"
Looking at the list of specific cases/examples:
* Security issues which are caused by careless programming, such as:
- extracting a tar file without first checking the contents;
- using unserialize() on untrusted data;
- relying on a specific value of short_open_tag.
Only the last example makes me think of configuration.
* Vulnerabilities involving any kind of open_basedir violation, as
this feature is not considered a security model either by us or by
PHP upstream.
That does make me think of configuration.
* Any "works as expected" vulnerabilities, such as "user can cause
PHP to crash by writing a malicious PHP script", unless such
vulnerabilities involve some kind of higher-level DoS or privilege
escalation that would not otherwise be available.
That doesn't make me think of configuration.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
