[php-maint] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Charles Plessy
plessy at debian.org
Tue Aug 14 00:50:46 UTC 2012
Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
>
> Question: Can any other webservers use mod_php? If so, they _might_ be
> vulnerable, as the supplied Apache config snippet probably doesn't apply
> to them.
> Most people I know run either CGI (if just security
> counts) or FPM (if security and/or performance counts)...
> > If upgrading to Wheezy would unconditionally break these systems,
> No,... this is not necessarily the case,.. if people have e.g. set their
> own handlers/mime-times for php in apache.
Hi again,
I have the following questions for the PHP maintainers.
1) Can libapache2-mod-php5 be vulnerable ?
2) The user base of php5-cgi is thousands (see Popcon URL below). What feedback
did you have from Sid and Wheezy users ?
http://qa.debian.org/popcon-graph.php?packages=php5-cgi+libapache2-mod-php5&show_vote=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1
3) Will upgrading unconditionally break sites using php5-cgi with Apache ?
4) Would you like to implement some of Christoph's suggestion or add a NEWs file to php5-cgi ?
On mime-support's side, I will not add a NEWs file, as it would interrupt the
installation of tens of thousands of systems which do not run PHP.
After your answer, I propose to send a brief summary to debian-release and
debian-devel, proposing reassign the bug to the release notes with the same
severity.
Have a nice day,
--
Charles Plessy
Co-maintainer of the mime-support package
Tsurumi, Kanagawa, Japan
More information about the pkg-php-maint
mailing list