Re: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20

To: Etienne Carriere <etienne.carriere@rez-gif.supelec.fr>
Cc: debian-security@lists.debian.org
Subject: Re: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 18 May 2007 22:48:38 +0200
Message-id: <87k5v5rh7d.fsf@mid.deneb.enyo.de>
In-reply-to: <464DE3A9.90301@rez-gif.supelec.fr> (Etienne Carriere's message of "Fri, 18 May 2007 19:34:33 +0200")
References: <464DE3A9.90301@rez-gif.supelec.fr>

* Etienne Carriere:

> I discovered yesterday that on a server it is possible to override the
> php_admin_value statements .After some researches,this correspond to the
> CVE-2006-4625 vulnerability.I search in the DSA between Sept 2006 and
> nowadays and I found no quotation about the fixation of the hole for php4 .

This is just an issue with untrusted PHP scripts.  Debian security
support does not extend to this scenario because PHP's "Safe Mode" is
unsafe by design.

Reply to:

References:
- CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
  - From: Etienne Carriere <etienne.carriere@rez-gif.supelec.fr>

Prev by Date: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
Next by Date: Re: [SECURITY] [DSA 1297-1] New gforge-plugin-scmcvs packages fix arbitrary shell command execution
Previous by thread: CVE-2006-4625 Vulnerability not fixed on libapache2-mod-php4.3.10-20
Next by thread: Re: [SECURITY] [DSA 1297-1] New gforge-plugin-scmcvs packages fix arbitrary shell command execution
Index(es):
- Date
- Thread