[php-maint] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Charles Plessy plessy at debian.org
Tue Aug 14 00:50:46 UTC 2012

Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
> Question: Can any other webservers use mod_php? If so, they _might_ be
> vulnerable, as the supplied Apache config snippet probably doesn't apply
> to them.
> Most people I know run either CGI (if just security
> counts) or FPM (if security and/or performance counts)...
> > If upgrading to Wheezy would unconditionally break these systems,
> No,... this is not necessarily the case,.. if people have e.g. set their
> own handlers/mime-times for php in apache.

Hi again,

I have the following questions for the PHP maintainers.

1) Can libapache2-mod-php5 be vulnerable ?

2) The user base of php5-cgi is thousands (see Popcon URL below).  What feedback
   did you have from Sid and Wheezy users ?


3) Will upgrading unconditionally break sites using php5-cgi with Apache ?

4) Would you like to implement some of Christoph's suggestion or add a NEWs file to php5-cgi ?

On mime-support's side, I will not add a NEWs file, as it would interrupt the
installation of tens of thousands of systems which do not run PHP.

After your answer, I propose to send a brief summary to debian-release and
debian-devel, proposing reassign the bug to the release notes with the same

Have a nice day,

Charles Plessy
Co-maintainer of the mime-support package
Tsurumi, Kanagawa, Japan

More information about the pkg-php-maint mailing list