Package: php8.4-common Version: 8.4.20-1 Severity: wishlist X-Debbugs-Cc: [email protected]
Dear Maintainer, There are debian-specific patch for telemetry in PHP called "0047-Add-minimal- privacy-preserving-secure-DNS-telemetry-.patch" (https://salsa.debian.org/php- team/php/-/blob/debian/main/8.4/debian/patches/0047-Add-minimal-privacy- preserving-secure-DNS-telemetry-.patch), with stated purpose of notifying about outdated/vulnerable binaries (https://codeberg.org/oerdnj/deb.sury.org/issues/76). Its now disabled at official debian builds. But it cant be turned off if its enabled, since patch hardcodes everything at build time. And its enabled in Ondrej own builds. Please make it disableable at runtime, preferably as opt-in option, not opt- out. Patch name says its "privacy-preserving", but it uses peculiar approach leaking user IP address: instead of just querying something like "build_id.alers.telemetry.server TXT" through system DNS (which can/will be anonymized by ISP or other means, protected by DoH and such) it connects directly to the telemetry server, sending some encrypted payload to it. Thats quite concerning, even if playload currently seems to be harmless. -- System Information: Debian Release: forky/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 7.0.3+deb14-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages php8.4 depends on: ii libapache2-mod-php8.4 8.4.20-1+b1 ii php8.4-common 8.4.20-1+b1 ii php8.4-fpm 8.4.20-1+b1 php8.4 recommends no packages. php8.4 suggests no packages. Versions of packages php8.4-common depends on: ii libc6 2.43-2 ii libffi8 3.5.2-4 ii libssl3t64 3.6.2-1 ii php-common 2:101~+0~20260503.72+debian13~1.gbp7da167 ii ucf 3.0053 -- no debconf information
