On Tue, Jan 28, 2014 at 10:15:39PM +0200, Adrian Bunk wrote: > Package: src:suphp > Version: 0.7.1-3 > Severity: serious > Tags: security > > >>From http://www.suphp.org/Home.html > > suPHP 0.7.2 has been released. > This release fixes a security issue that was introduced with the 0.7.0 > release. This issue affected the source-highlighting feature and could only > be exploited, if the suPHP_PHPPath option was set. In this case local users > which could create or edit .htaccess files could possibly execute arbitrary > code with the privileges of the user the webserver was running as. > > I am not sure whether this warrants a DSA, but I've set the severity RC > since not upgrading to a new point release that fixes a security bug for > jessie would be stupid (Ubuntu has already upgraded the package for trusty). > > Note that this package is orphaned, so a QA upload (that also fixes > the maintainer field) is required.
Quoting from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731758 and https://lists.marsching.com/pipermail/suphp/2013-May/002554.html upstream is dead and we should go ahead with the removal from the archive. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
