Subject: php and audit-packages
To: None <>
From: Geert Hendrickx <>
List: tech-pkg
Date: 04/24/2007 09:37:29

can we please do something about this one please:

Package php-4.4.6 has a privilege-escalation vulnerability, see

I've been getting this every day from too many machines for way too long now.
It's a stupid open_basedir bypass which, according to the original advisory[1],
cannot really be fixed without redesigning PHP, but worked around trivially (if
you are using open_basedir at all).  So I suggest we remove this entry from
pkg-vulnerabilities, and add some general security note to the php4 and php5
MESSAGE files, with a link to this advisory[1] and maybe to's Security
pages[2] as well.

What do you think?