[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Chances to accept a fix for mpm-itk in stable-proposed-updates


"Steinar H. Gunderson" schrieb am 7.5.2012:
> On Mon, May 07, 2012 at 04:20:08PM +0200, Henrik Heil wrote:
>> [...] would this qualify for the next point release [...]?
> I doubt it; as I see it, it falls outside what would usually be considered
> applicable for stable, but the Apache maintainers and Stable Release Managers
> might disagree. You should probably ask them.

as suggested by Steinar, I'd like to try my luck and ask for the
chances to accept a fix for mpm-itk in stable-proposed-updates. The
bug (that is fixed in testing) causes a intermittent denial of service
under certain (arguably rare) conditions that cannot be completely
avoided in a shared hosting environment mpm-itk was invented for in
the first place.

The conditions are: 

1) KeepAlive On
2) A .htaccess file that is not world readable.
3) A visitor who requests virtual hosts that have been assigned to
   different user-IDs in one connection.

It is not a security issue. I think it could qualify as important
enough for stable-proposed-updates because:

a) If triggered, the users are effectively locked out. The end-user
   reflex to hit reload on an unconditional error prolongs the
   lockout until MaxKeepAliveRequests is reached.
b) The conditions are not as rare as one might think. 1) and 2) are
   good practice and 3) depends on the use case. We encountered the
   error as one of our clients wanted to separate web-applications
   of different maintainers for security reasons. Since he needed to
   switch between these applications often, he triggered the error
c) There is no feasible workaround, given that you have to support
   mod_php (not cgi) and need the different user-IDs.
d) The patch [1] is small and looks innocent enough to the untrained

[1] http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.17-01/11-fix-htaccess-reads-for-persistent-connections.patch 

Thanks for considering,

Reply to: