-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Oct 31, 2005 at 07:14:55PM +0100, Florian Weimer wrote: > Package: php4 > Tags: security > Severity: grave
> The Hardened-PHP project has disclosed several security > vulnerabilites: > <http://www.hardened-php.net/advisory_182005.77.html> > <http://www.hardened-php.net/advisory_192005.78.html> > <http://www.hardened-php.net/advisory_202005.79.html> > <http://www.hardened-php.net/globals-problem> > The "globals problem" appears to be somewhat nasty. It is not clear > if it applies to stable's 4.3.10 version because the security feature > which turned out to be buggy was introduced in 4.3.11, according to > the fourth link above. (Maybe PHP before 4.3.11 is vulnerable to some > other issue; I don't know.) The globals problem described does apply to php 4.3.10. However, in reading over the description of the vulnerabilities, I don't really see any grounds for regarding these as grave securty bugs. The most severe of these problems, 202005.79, only has a significant impact when register_globals is set in the PHP environment -- a setting which has been strongly deprecated for quite some time, and which is disabled by default in sarge. There is a *lot* of PHP application code that is vulnerable to XSS or remote injection attacks when run with register_globals on, or which does stupid things with manually registering request variables as global variables; I'm not convinced that this warrants a grave bug against PHP... - -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDZxnjKN6ufymYLloRAlbzAJ9WEN3VAYDovKNzoW5RyTHxuMy38QCgv49I CrTe7FA6zS0K22ZHRjk+P24= =8OyH -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
