Chances to accept a fix for mpm-itk in stable-proposed-updates
"Steinar H. Gunderson" schrieb am 7.5.2012:
> On Mon, May 07, 2012 at 04:20:08PM +0200, Henrik Heil wrote:
>> [...] would this qualify for the next point release [...]?
> I doubt it; as I see it, it falls outside what would usually be considered
> applicable for stable, but the Apache maintainers and Stable Release Managers
> might disagree. You should probably ask them.
as suggested by Steinar, I'd like to try my luck and ask for the
chances to accept a fix for mpm-itk in stable-proposed-updates. The
bug (that is fixed in testing) causes a intermittent denial of service
under certain (arguably rare) conditions that cannot be completely
avoided in a shared hosting environment mpm-itk was invented for in
the first place.
The conditions are:
1) KeepAlive On
2) A .htaccess file that is not world readable.
3) A visitor who requests virtual hosts that have been assigned to
different user-IDs in one connection.
It is not a security issue. I think it could qualify as important
enough for stable-proposed-updates because:
a) If triggered, the users are effectively locked out. The end-user
reflex to hit reload on an unconditional error prolongs the
lockout until MaxKeepAliveRequests is reached.
b) The conditions are not as rare as one might think. 1) and 2) are
good practice and 3) depends on the use case. We encountered the
error as one of our clients wanted to separate web-applications
of different maintainers for security reasons. Since he needed to
switch between these applications often, he triggered the error
c) There is no feasible workaround, given that you have to support
mod_php (not cgi) and need the different user-IDs.
d) The patch  is small and looks innocent enough to the untrained
Thanks for considering,