Thijs Kinkhorst wrote:
> As you might know:
> - the Debian 'squirrelmail' Apache configuration ships with rg disabled;
> - the Debian 'php4' configuration ships with rg disabled;
> - it is well known and well documented that enabling register_globals is
> a security risk.
>
> Therefore, someone who overrides both the PHP and SquirrelMail default
> configuration for this setting, while there is no need at all to do so,
> is willingly opening up security risks.
>
> Running with register_globals on not supported with upstream
> SquirrelMail and heavily discouraged (?) with PHP.
>
> Of course the bug will be fixed, but for this reason I don't think we
> should rush out an advisory or leave this bug to be of serious severity.
>
>
> I value input on this matter from the security team.
I don't think this warrants a security update for stable.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
