Re: FYI php disable_function bypass bug

To: Radoslav Bodó <bodik@cesnet.cz>, debian-security@lists.debian.org
Subject: Re: FYI php disable_function bypass bug
From: Sylvain Beucler <beuc@beuc.net>
Date: Sat, 9 Oct 2021 19:45:43 +0200
Message-id: <[🔎] 4f18d018-cd7c-3b48-f827-2ef2ac6ff5d6@beuc.net>
In-reply-to: <[🔎] aa79fa77-dee8-e36a-81be-13b6341e0209@cesnet.cz>
References: <[🔎] aa79fa77-dee8-e36a-81be-13b6341e0209@cesnet.cz>

Hello,

On 08/10/2021 10:54, Radoslav Bodó wrote:

I'm not sure how to properly escalate this bugreport, but I guess it's
worth of at least of fast acknowledgement

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995871

You could upgrade the severity to 'grave', add the 'security' tag forthis bug, and add a rationale on when 'disable_functions' is used as afirst-level security protection.Though the most effective way to trigger the security workflow would beto get PHP Group to issue a CVE for this. They may plan to do so whenthey release a new fixed version themselves.


Thanks for the info.

Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

References:
- FYI php disable_function bypass bug
  - From: Radoslav Bodó <bodik@cesnet.cz>

Prev by Date: Re: Upcoming stable point release (11.1)`
Previous by thread: FYI php disable_function bypass bug
Next by thread: Re: Upcoming oldstable point release (10.11)
Index(es):
- Date
- Thread