Your message dated Wed, 15 Nov 2006 15:42:33 +0100 with message-id <20061115144233.GO2560@mails.so.argh.org> and subject line php deprecated configurations has been added has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Please add notice about PHP register_globals not security supported
- From: Thijs Kinkhorst <thijs@debian.org>
- Date: Mon, 13 Nov 2006 20:35:25 +0100
- Message-id: <[🔎] 1163446530.4774.36.camel@darwin.os9.nl>
Package: release-notes Hi, I propose to add this text: ======== Starting with this release, the Debian security team does not provide security support for a number of PHP configurations which are known to be insecure. Most importantly, issues that make use of the register_globals setting being turned on are not addressed. This setting is known to be insecure and has defaulted to off for many years. If you run legacy applications that require it, enable register_globals for the respective paths only, e.g. through the Apache configuration file. More information is available in the README.Debian.security file in the PHP documentation directory (/usr/share/doc/php{4,5}). ======== ThijsAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 398437-done@bugs.debian.org
- Subject: php deprecated configurations has been added
- From: Andreas Barth <aba@not.so.argh.org>
- Date: Wed, 15 Nov 2006 15:42:33 +0100
- Message-id: <20061115144233.GO2560@mails.so.argh.org>
Hi, I just commited this change to cvs: + <sect id="php-globals"> <heading>Deprecated insecure php configurations</heading> + <p>For many years, turning on the register_globals settings in PHP + has been known to be insecure and dangerous, and has defaulted to + off for some time now. This configuration is + now finally deprecated on Debian systems as too dangerous. + The same applies to flaws in safe_mode and open_basedir, which + haven also been unmaintained for some time.</p> + + <p>Starting with this release, the Debian security team does not provide + security support for a number of PHP configurations which are known to + be insecure. Most importantly, issues that make use of the + register_globals setting being turned on are not addressed.</p> + + <p>If you run legacy applications that require register_globals, + enable it for the respective paths only, e.g. through the Apache + configuration file. More information is available in the + <file>README.Debian.security</file> file in the PHP + documentation directory (<file>/usr/share/doc/php4</file>, + <file>/usr/share/doc/php5</file>). + </sect> Please feel free to reopen this bug report if you think the patch should look different. Cheers, Andi -- http://home.arcor.de/andreas-barth/
--- End Message ---