the Debian stable security team does not provide security support
for certain configurations known to be inherently insecure.  Most
specifically, the security team will not provide support for flaws in:

- problems which are not flaws in the design of php but can be problematic
  when used by sloppy developers (for example, not checking the contents
  of a tar file before extracting it).

- vulnerabilities involving register_globals being activated, unless
  specifically the vulnerability activates this setting when it was
  configured as deactivated.

- vulnerabilities involving any kind of safe_mode or open_basedir
  violation, as these are security models flawed by design and no longer
  have upstream support either.

- any "works as expected" vulnerabilities, such as "user can cause php
  to crash by writing a malcious php script", unless such vulnerabilities
  involve some kind of higher-level DoS or privilege escalation that would
  not otherwise be available.

 -- sean finney <seanius@debian.org>  Tue, 10 Oct 2006 12:42:06 +0200