Bug#271945: apache in woody is missing security patches/updates
On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote:
> On Thu, 16 Sep 2004, Matt Zimmerman wrote:
> > Maintainers, please raise the severity of this bug and contact the security
> > team if this is an urgent issue.
> Please can we have at least the CAN number and reference? Joey has been
> keeping track of this iirc.
I thisk this refers to the follow upstream changelog entry:
*) Certain 3rd party modules would bypass the Apache API and not
invoke ap_cleanup_for_exec() before creating sub-processes.
To such a child process, Apache's file descriptors (lock
fd's, log files, sockets) were accessible, allowing them
direct access to Apache log file etc. Where the OS allows,
we now add proactive close functions to prevent these file
descriptors from leaking to the child processes.
[Jim Jagielski, Martin Kraemer]
This is a workaround for security bugs in third-party mobules (which ones?),
and not a security fix in itself.