Re: PCI vulnerability scan - PHP4 on Sarge
William Chipman wrote:
> We had a scan of our systems for PCI compliance and received warnings
> about PHP 4.4.3-10-22.
> I checked the archives and found that the following CVE reports were not
> covered by the comments
> leading up to 4.4.3-10-22:
I verified your list:
Almost all of these are no security issues by the security policy for
PHP, see below. For one or two (harmless) issues an update is in preparation.
A similar policy is in place for the other major Linux enterprise distribution;
Red Hat Enterprise Linux.
If the payment card industry wishes to discuss there requirements with us,
they can contact us at team@security.debian.org
--
The Debian stable security team does not provide security support
for certain configurations known to be inherently insecure. Most
specifically, the security team will not provide support for flaws in:
- problems which are not flaws in the design of php but can be problematic
when used by sloppy developers (for example, not checking the contents
of a tar file before extracting it)
- vulnerabilities involving register_globals being activated, unless
specifically the vulnerability activates this setting when it was
configured as deactivated
- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either
- any "works as expected" vulnerabilities, such as "user can cause php
to crash by writing a malcious php script", unless such vulnerabilities
involve some kind of higher-level DoS or privilege escalation that would
not otherwise be available.
--
Cheers,
Moritz
Reply to: