registry team mailing list archive

[Dave Walker <davewalker@xxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: phpldapadmin

Extract from Debian bug, which affects Ubuntu (replicated here for tracking purposes):
The file debian/conf/apache.conf sets PHP's register_globals setting to On:

        php_flag register_globals On

The Debian Security Team does not support configurations that require this
dangerous setting to be on. For the record, the setting has defaulted to
off in PHP since years and has been deprecated by PHP upstream.

I cannot find a requirement in the upstream documentation that this
setting needs to be on, so probably it can just be removed from the
shipped config file.

** Affects: phpldapadmin (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: phpldapadmin (Debian)
     Importance: Unknown
         Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #587536
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587536

** Also affects: phpldapadmin (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587536
   Importance: Unknown
       Status: Unknown

-- 
ships Apache configuration setting PHP register_globals On
https://bugs.launchpad.net/bugs/611266
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.