[php-maint] php5-cgi + libapache2-mod-fcgid wheezy upgrade problem not documented well

Josip Rodin joy at debbugs.entuzijast.net
Wed Sep 17 20:17:55 UTC 2014

Package: release-notes
Version: 7


The squeeze to wheezy upgrade of php5-cgi fixes one security problem and
introduces another on some systems, by way of refusing to run some PHP code,
which in turn makes it expose PHP program source. The problem is documented
in #687307.

The file /usr/share/doc/php5-cgi/NEWS.Debian.gz had been updated to include:

  * As a side effect of the MIME-Type changes in the mime-support package,
    the default Apache 2 configuration will no longer perform HTTP content
    negotiation on the PHP file extensions, which was very questionable
    anyway.  If you really want to re-enable this support then please read
    /usr/share/doc/php5-common/README.Debian file for further

Unfortunately, this is just lousy documentation - it's both unlikely anyone
will see it before the dist-upgrade, and it's unlikely that they will
connect the dots between this mumbo jumbo up there and the actual symptoms
you observe following the upgrade.

The release notes mention a php5-suhosin problem already, which is great,
so they should also include something like this in roughly the same place:

	If you have installed both the php5-cgi and the libapache2-mod-fcgid
	package, and set up Apache so that .php files are processed through
	these two, the upgrade will enable a new Apache module configuration
	called 'php5_cgi', which in turn may conflict with this use case and
	introduce an information disclosure security problem if left
	unattended following the upgrade.

	Please read /usr/share/doc/php5-cgi/NEWS.Debian.gz for more


     2. That which causes joy or happiness.

More information about the pkg-php-maint mailing list