debian-edu-config (2.12.16) unstable; urgency=medium

    CVE-2021-20001: For mitigating potential privilege escalations that
    could be caused by malicious PHP scripts in Apache2-accessible user
    directories (i.e. PHP files placed into ~/public_html) on the Debian
    Edu mainserver, the PHP engine is now disabled for Apache2 user
    directories (see /etc/apache2/mods-enabled/debian-edu-userdir.conf).

    However, if PHP functionality is required for Apache2 user directories
    for educational purposes, an alternative configuration approach is provided
    in:

    /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md

 -- Mike Gabriel <sunweaver@debian.org>  Fri, 04 Feb 2022 12:14:05 +0100