[php-maint] php5-cgi + libapache2-mod-fcgid wheezy upgrade problem not documented well
Josip Rodin
joy at debbugs.entuzijast.net
Wed Sep 17 20:17:55 UTC 2014
Package: release-notes
Version: 7
Hi,
The squeeze to wheezy upgrade of php5-cgi fixes one security problem and
introduces another on some systems, by way of refusing to run some PHP code,
which in turn makes it expose PHP program source. The problem is documented
in #687307.
The file /usr/share/doc/php5-cgi/NEWS.Debian.gz had been updated to include:
* As a side effect of the MIME-Type changes in the mime-support package,
the default Apache 2 configuration will no longer perform HTTP content
negotiation on the PHP file extensions, which was very questionable
anyway. If you really want to re-enable this support then please read
/usr/share/doc/php5-common/README.Debian file for further
instructions.
Unfortunately, this is just lousy documentation - it's both unlikely anyone
will see it before the dist-upgrade, and it's unlikely that they will
connect the dots between this mumbo jumbo up there and the actual symptoms
you observe following the upgrade.
The release notes mention a php5-suhosin problem already, which is great,
so they should also include something like this in roughly the same place:
If you have installed both the php5-cgi and the libapache2-mod-fcgid
package, and set up Apache so that .php files are processed through
these two, the upgrade will enable a new Apache module configuration
called 'php5_cgi', which in turn may conflict with this use case and
introduce an information disclosure security problem if left
unattended following the upgrade.
Please read /usr/share/doc/php5-cgi/NEWS.Debian.gz for more
information.
TIA.
--
2. That which causes joy or happiness.
More information about the pkg-php-maint
mailing list