[php-maint] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
ondrej at debian.org
Tue Aug 14 07:51:46 UTC 2012
On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy <plessy at debian.org> wrote:
> Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
>> Question: Can any other webservers use mod_php? If so, they _might_ be
>> vulnerable, as the supplied Apache config snippet probably doesn't apply
>> to them.
>> Most people I know run either CGI (if just security
>> counts) or FPM (if security and/or performance counts)...
>> > If upgrading to Wheezy would unconditionally break these systems,
>> No,... this is not necessarily the case,.. if people have e.g. set their
>> own handlers/mime-times for php in apache.
> Hi again,
> I have the following questions for the PHP maintainers.
> 1) Can libapache2-mod-php5 be vulnerable ?
I don't think so. And from my testing it doesn't seem to be the case.
> 2) The user base of php5-cgi is thousands (see Popcon URL below). What feedback
> did you have from Sid and Wheezy users ?
> 3) Will upgrading unconditionally break sites using php5-cgi with Apache ?
> 4) Would you like to implement some of Christoph's suggestion or add a NEWs file to php5-cgi ?
Yes, I will probably add NEWS file to php5-cgi. Do you already have some
text which can be added to release notes or we still need to cook something
up? I would like to keep this text in sync.
> On mime-support's side, I will not add a NEWs file, as it would interrupt the
> installation of tens of thousands of systems which do not run PHP.
> After your answer, I propose to send a brief summary to debian-release and
> debian-devel, proposing reassign the bug to the release notes with the same
Will you take care of that?
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint