[php-maint] Bug#703740: php5: disabled modules are automatically readded to /etc/php5/conf.d on package upgrade
Christoph Anton Mitterer
calestyo at scientia.net
Sat Mar 23 00:05:20 UTC 2013
Source: php5
Version: 5.4.4-15
Severity: important
Tags: security
Hi.
I just noted by chance on an upgrade, that the following files were automatically added back
Only in /etc/php5/cgi/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/cgi/conf.d: 20-pgsql.ini
Only in /etc/php5/conf.d: 20-pdo_pgsql.ini
Only in /etc/php5/conf.d: 20-pgsql.ini
which I've had disabled before.
IMHO that shouldn't happen... actually I think, that it would even be better, if _no_
modules are automatically loaded... auto-magic stuff is nice for out-of-the-box games,
but not for serious and secure administration :) ... perhaps a release goal for jessie?! ;)
I mark this as important/security, as unintentionally enabling a module in the "global" /etc/php5/conf.d
could be an issue if that is e.g. security critical and was intentionally only enabled in e.g.
SSL client auth secured URI spaces.
Thanks,
Chris.
More information about the pkg-php-maint
mailing list