Hi Thijs.
On Sat, 2013-03-16 at 10:06 +0100, Thijs Kinkhorst wrote: > Rightly so. These issues indeed should be fixed to prevent any security > issues > proactively, and it would be great even, if possible, to fix them in wheezy. > However, there are no concrete security holes known so this is a matter of > hardening rather than a real vulnerability. Well... I think these issue are quite severe... or at least they smell so ;-) ... Admittedly I haven't found a real exploit... but I haven't looked for one either. To be honest... the whole authentication / session system seems to be a bit messy... > I disagree about the severity of this. Yes, phpinfo() shouldn't be shown. > However, nearly all of the 'private environment information' is fully > predictable on a Debian system (paths, php versions, library versions, you > name it, it's all trivially known already). Well.... in a sense yes... OTOH... php and php programs are known to often depend on security by obscurity... so... yeah... definitely not a good thin. > Add to that that it's not > available to the world but only to authorised users. This shouldn't happen, > but does not justify 'grave'. Agreed... at least with respect to Debian and release criticality. The problem is there is no public bug tracker for Davical (the one at SF is not accessible)... so I had to report it somewhere for the records... and I used a severity what I'd use upstream. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
