Re: Bug#271945: apache in woody is missing security patches/updates
On Thu, 16 Sep 2004, Matt Zimmerman wrote:
> On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote:
> > On Thu, 16 Sep 2004, Matt Zimmerman wrote:
> > > Maintainers, please raise the severity of this bug and contact the security
> > > team if this is an urgent issue.
> > Please can we have at least the CAN number and reference? Joey has been
> > keeping track of this iirc.
> I thisk this refers to the follow upstream changelog entry:
> *) Certain 3rd party modules would bypass the Apache API and not
> invoke ap_cleanup_for_exec() before creating sub-processes.
> To such a child process, Apache's file descriptors (lock
> fd's, log files, sockets) were accessible, allowing them
> direct access to Apache log file etc. Where the OS allows,
> we now add proactive close functions to prevent these file
> descriptors from leaking to the child processes.
> [Jim Jagielski, Martin Kraemer]
> This is a workaround for security bugs in third-party mobules (which ones?),
> and not a security fix in itself.
This problem is the one that has been discussed by Joey (iirc) together
with upstream. The result of the discussion was that it is not worth to
backport such a precaution since it includes an API change and possibly
all external modules need to be ported to it (list is unknown). Also the
benefits of this fix are minimal compared to the hundreds of many way a
user can expose sensible data with a wrong config setup.
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.