Package: debian-security-support Version: 2014.12.17 Severity: normal Hi,
Please see attached patch that removes php5 and memcached from limited security support. These packages receive full support according to what is commonly understood as proper normal use cases for this software. As discussed at the security team meeting. Please apply. Thanks, Thijs
>From 22817e551a4b55c9f94bc66c027d42ab87492fdb Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst <th...@kinkhorst.com> Date: Sat, 17 Jan 2015 18:26:40 +0100 Subject: [PATCH] Remove php5,memcached from limited-support Our PHP support is not different from upstream's and is well understood by the community. Even stronger for memcached, which everyone running it knows not to expose to the world as it doesn't do any protection by design. --- security-support-limited | 2 -- 1 file changed, 2 deletions(-) diff --git a/security-support-limited b/security-support-limited index 19f0143..2d9db0f 100644 --- a/security-support-limited +++ b/security-support-limited @@ -14,12 +14,10 @@ glpi Only supported behind an authenticated HTTP zone for trusted use kde4libs khtml has no security support upstream, only for use on trusted content libv8-3.14 Not covered by security support, only suitable for trusted content ltp Pure Testsuite, only supported on non-production non-multiuser systems -memcached Attacks that require an attacker to be able to access the memcached port/sock are not supported, it's running as nobody and in a typical setup attackers don't have access to this mozjs Not covered by security support, only suitable for trusted content mozjs17 Not covered by security support, only suitable for trusted content mozjs24 Not covered by security support, only suitable for trusted content ocsinventory-server Only supported behind an authenticated HTTP zone -php5 See README.Debian.security for the PHP security policy pidgin Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE qtwebkit No security support upstream and backports not feasible, only for use on trusted content sql-ledger Only supported behind an authenticated HTTP zone -- 1.7.10.4