blob: 86f75e2534e073cb067a98f409bcd6e0a61a13bc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
the Debian stable security team does not provide security support
for certain configurations known to be inherently insecure. Most
specifically, the security team will not provide support for flaws in:
- problems which are not flaws in the design of php but can be problematic
when used by sloppy developers (for example, not checking the contents
of a tar file before extracting it).
- vulnerabilities involving register_globals being activated, unless
specifically the vulnerability activates this setting when it was
configured as deactivated.
- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either.
- any "works as expected" vulnerabilities, such as "user can cause php
to crash by writing a malcious php script", unless such vulnerabilities
involve some kind of higher-level DoS or privilege escalation that would
not otherwise be available.
-- sean finney <seanius@debian.org> Tue, 10 Oct 2006 12:42:06 +0200
|
