[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PCI vulnerability scan - PHP4 on Sarge

William Chipman wrote:
> We had a scan of our systems for PCI compliance and received warnings 
> about PHP 4.4.3-10-22.
> I checked the archives and found that the following CVE reports were not 
> covered by the comments
> leading up to 4.4.3-10-22:

I verified your list:
Almost all of these are no security issues by the security policy for
PHP, see below. For one or two (harmless) issues an update is in preparation.

A similar policy is in place for the other major Linux enterprise distribution;
Red Hat Enterprise Linux.

If the payment card industry wishes to discuss there requirements with us,
they can contact us at team@security.debian.org

The Debian stable security team does not provide security support
for certain configurations known to be inherently insecure.  Most
specifically, the security team will not provide support for flaws in:

- problems which are not flaws in the design of php but can be problematic
  when used by sloppy developers (for example, not checking the contents
  of a tar file before extracting it)

- vulnerabilities involving register_globals being activated, unless
  specifically the vulnerability activates this setting when it was
  configured as deactivated

- vulnerabilities involving any kind of safe_mode or open_basedir
  violation, as these are security models flawed by design and no longer
  have upstream support either

- any "works as expected" vulnerabilities, such as "user can cause php
  to crash by writing a malcious php script", unless such vulnerabilities
  involve some kind of higher-level DoS or privilege escalation that would
  not otherwise be available.


Reply to: