Hi,

can we please do something about this one please:

Package php-4.4.6 has a privilege-escalation vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178

I've been getting this every day from too many machines for way too long now.
It's a stupid open_basedir bypass which, according to the original advisory[1],
cannot really be fixed without redesigning PHP, but worked around trivially (if
you are using open_basedir at all).  So I suggest we remove this entry from
pkg-vulnerabilities, and add some general security note to the php4 and php5
MESSAGE files, with a link to this advisory[1] and maybe to PHP.net's Security
pages[2] as well.

What do you think?

	Geert

[1] http://www.hardened-php.net/advisory_082006.132.html
[2] http://www.php.net/Security