[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Chances to accept a fix for mpm-itk in stable-proposed-updates

On Mon, May 07, 2012 at 09:29:57PM +0200, Henrik Heil wrote:
> It is not a security issue. I think it could qualify as important
> enough for stable-proposed-updates because:

FWIW, I don't think this is a security issue. I would not oppose the
inclusion of the fix, though; it's been in newer versions of mpm-itk for a
long time now without any reports of problems, and it fixes what's perhaps
the most commonly reported problem on the mpm-itk lists.

> b) The conditions are not as rare as one might think. 1) and 2) are
>    good practice and 3) depends on the use case. We encountered the
>    error as one of our clients wanted to separate web-applications
>    of different maintainers for security reasons. Since he needed to
>    switch between these applications often, he triggered the error
>    easily.

FWIW, the most common cause of this (from what I can surmise from people's
bugs) would probably be when using a reverse proxy.

> c) There is no feasible workaround, given that you have to support
>    mod_php (not cgi) and need the different user-IDs.

Well, you could turn off KeepAlive. And you could run different uids on
different IP addresses or ports, although especially the latter is only
feasible in the reverse-proxy scenario.

/* Steinar */
Homepage: http://www.sesse.net/

Reply to: