Re: Chances to accept a fix for mpm-itk in stable-proposed-updates
On Mon, May 07, 2012 at 09:29:57PM +0200, Henrik Heil wrote:
> It is not a security issue. I think it could qualify as important
> enough for stable-proposed-updates because:
FWIW, I don't think this is a security issue. I would not oppose the
inclusion of the fix, though; it's been in newer versions of mpm-itk for a
long time now without any reports of problems, and it fixes what's perhaps
the most commonly reported problem on the mpm-itk lists.
> b) The conditions are not as rare as one might think. 1) and 2) are
> good practice and 3) depends on the use case. We encountered the
> error as one of our clients wanted to separate web-applications
> of different maintainers for security reasons. Since he needed to
> switch between these applications often, he triggered the error
FWIW, the most common cause of this (from what I can surmise from people's
bugs) would probably be when using a reverse proxy.
> c) There is no feasible workaround, given that you have to support
> mod_php (not cgi) and need the different user-IDs.
Well, you could turn off KeepAlive. And you could run different uids on
different IP addresses or ports, although especially the latter is only
feasible in the reverse-proxy scenario.
/* Steinar */