/usr/share/doc/php5-common/README.Debian.security is in php5-common 5.3.10-1ubuntu3.26.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | the Debian stable security team does not provide security support
for certain configurations known to be inherently insecure. This
includes the interpreter itself, extensions, and code written in the
PHP language. Most specifically, the security team will not provide
support for flaws in:
- problems which are not flaws in the design of php but can be problematic
when used by sloppy developers (for example: not checking the contents
of a tar file before extracting it, using unserialize() on
untrusted data, or relying on a specific value of short_open_tag).
- vulnerabilities involving register_globals being activated, unless
specifically the vulnerability activates this setting when it was
configured as deactivated.
- vulnerabilities involving any kind of safe_mode or open_basedir
violation, as these are security models flawed by design and no longer
have upstream support either.
- any "works as expected" vulnerabilities, such as "user can cause php
to crash by writing a malcious php script", unless such vulnerabilities
involve some kind of higher-level DoS or privilege escalation that would
not otherwise be available.
PHP upstream has published a statement regarding their view on security
and the PHP interpreter:
http://www.php.net/security-note.php
|