Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 13:32:28 +0100
From: Martin Schulze <email address hidden>
To: Florian Weimer <email address hidden>
Cc: Pekka Savola <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: A backport of PHP fixes for 4.1.2
Florian Weimer wrote:
> >> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> >> fundamentally insecure?
> >
> > Yes (except that it's not CVE who declared but vendor-sec).
>
> Okay, this actually good news.
Hmm. I'm not sure that "safe_mode is fundamentally broken" is good news,
but it's the truth...
> Shall I write a draft DSA and some documentation patches? Some of our
> users rely on this feature and are not aware of its defects.
Please do. I think a good documentation on why/how safe_mode is
broken would be good to be added to www.debian.org/security/<somewhere>,
same as chroot-is-no-jail.
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Please always Cc to me when replying to me on the lists.
Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 13:32:28 +0100
From: Martin Schulze <email address hidden>
To: Florian Weimer <email address hidden>
Cc: Pekka Savola <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: A backport of PHP fixes for 4.1.2
Florian Weimer wrote:
> >> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> >> fundamentally insecure?
> >
> > Yes (except that it's not CVE who declared but vendor-sec).
>
> Okay, this actually good news.
Hmm. I'm not sure that "safe_mode is fundamentally broken" is good news,
but it's the truth...
> Shall I write a draft DSA and some documentation patches? Some of our
> users rely on this feature and are not aware of its defects.
Please do. I think a good documentation on why/how safe_mode is org/security/ <somewhere> ,
broken would be good to be added to www.debian.
same as chroot-is-no-jail.
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Please always Cc to me when replying to me on the lists.