the Debian stable security team does not provide security support for certain configurations known to be inherently insecure. This includes the interpreter itself, extensions, and code written in the PHP language. Most specifically, the security team will not provide support for flaws in: - problems which are not flaws in the design of php but can be problematic when used by sloppy developers (for example: not checking the contents of a tar file before extracting it, using unserialize() on untrusted data, or relying on a specific value of short_open_tag). - vulnerabilities involving register_globals being activated, unless specifically the vulnerability activates this setting when it was configured as deactivated. - vulnerabilities involving any kind of safe_mode or open_basedir violation, as these are security models flawed by design and no longer have upstream support either. - any "works as expected" vulnerabilities, such as "user can cause php to crash by writing a malcious php script", unless such vulnerabilities involve some kind of higher-level DoS or privilege escalation that would not otherwise be available. -- sean finney Tue, 10 Oct 2006 12:42:06 +0200