1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • FYI php disable_function bypass bug

    From =?UTF-8?Q?Radoslav_Bod=c3=b3?=@21:1/5 to All on Fri Oct 8 11:30:02 2021
    Hello,

    I'm not sure how to properly escalate this bugreport, but I guess it's
    worth of at least of fast acknowledgement

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995871


    bodik

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sylvain Beucler@21:1/5 to All on Sat Oct 9 19:50:02 2021
    Hello,

    On 08/10/2021 10:54, Radoslav Bodó wrote:
    I'm not sure how to properly escalate this bugreport, but I guess it's
    worth of at least of fast acknowledgement

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995871

    You could upgrade the severity to 'grave', add the 'security' tag for
    this bug, and add a rationale on when 'disable_functions' is used as a first-level security protection.
    Though the most effective way to trigger the security workflow would be
    to get PHP Group to issue a CVE for this. They may plan to do so when
    they release a new fixed version themselves.

    Thanks for the info.

    Cheers!
    Sylvain Beucler
    Debian LTS Team

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)