Re: PCI vulnerability scan - PHP4 on Sarge
William Chipman wrote:
> We had a scan of our systems for PCI compliance and received warnings
> about PHP 4.4.3-10-22.
> I checked the archives and found that the following CVE reports were not
> covered by the comments
> leading up to 4.4.3-10-22:
I verified your list:
Almost all of these are no security issues by the security policy for
PHP, see below. For one or two (harmless) issues an update is in preparation.
A similar policy is in place for the other major Linux enterprise distribution;
Red Hat Enterprise Linux.
If the payment card industry wishes to discuss there requirements with us,
they can contact us at email@example.com
The Debian stable security team does not provide security support
for certain configurations known to be inherently insecure. Most
specifically, the security team will not provide support for flaws in:
- problems which are not flaws in the design of php but can be problematic
when used by sloppy developers (for example, not checking the contents
of a tar file before extracting it)
- vulnerabilities involving register_globals being activated, unless
specifically the vulnerability activates this setting when it was
configured as deactivated
- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either
- any "works as expected" vulnerabilities, such as "user can cause php
to crash by writing a malcious php script", unless such vulnerabilities
involve some kind of higher-level DoS or privilege escalation that would
not otherwise be available.