[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: https://issues.apache.org/bugzilla/show_bug.cgi?id=46425

Hi Christian,

On Tuesday 18 May 2010, Christian Kapalczynski wrote:
> just found the Bug about the "apr lib" which has been fixed by
> Stefan in "apr 1.3.6". In Debian Lenny there is still the package
> 1.2.12-5+lenny1 with the Security BUG available.
> Since through this BUG you can compromise the system by Listening
> to Port 80 or read every FD from the Apache Fork via a PHP or
> Shell script i was wondering why there is no security package
> update for apr 1.2.12-5+lenny1 to 1.3.6 at least or 1.4.2-3
> Testing is going to be backported for Lenny?

this is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366124
and affects only mod_php. As Debian's security support for mod_php is 
somewhat limited as far as malicious php scripts are concerned [1], 
this bug does not have high priority. If you are concerned about 
malicious php scripts, it is in any case a good idea to use suexec or 
fcgi to make them run as a different user.

Maybe there will be an update for 1.2.12 in lenny in a stable point 
release, or maybe a newer version of apr will be made available via 
backports.org (there has been some demand for that). But I don't think 
this bug warrants a DSA.


[1] see /usr/share/doc/libapache2-mod-php5/README.Debian.security

Reply to: