Re: [php-maint] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Charles,
On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy <plessy@debian.org> wrote:
> Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
>>
>> Question: Can any other webservers use mod_php? If so, they _might_ be
>> vulnerable, as the supplied Apache config snippet probably doesn't apply
>> to them.
>
>> Most people I know run either CGI (if just security
>> counts) or FPM (if security and/or performance counts)...
>
>> > If upgrading to Wheezy would unconditionally break these systems,
>> No,... this is not necessarily the case,.. if people have e.g. set their
>> own handlers/mime-times for php in apache.
>
> Hi again,
>
> I have the following questions for the PHP maintainers.
>
> 1) Can libapache2-mod-php5 be vulnerable ?
I don't think so. And from my testing it doesn't seem to be the case.
> 2) The user base of php5-cgi is thousands (see Popcon URL below). What feedback
> did you have from Sid and Wheezy users ?
>
> http://qa.debian.org/popcon-graph.php?packages=php5-cgi+libapache2-mod-php5&show_vote=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1
None.
> 3) Will upgrading unconditionally break sites using php5-cgi with Apache ?
Probably.
> 4) Would you like to implement some of Christoph's suggestion or add a NEWs file to php5-cgi ?
Yes, I will probably add NEWS file to php5-cgi. Do you already have some
text which can be added to release notes or we still need to cook something
up? I would like to keep this text in sync.
> On mime-support's side, I will not add a NEWs file, as it would interrupt the
> installation of tens of thousands of systems which do not run PHP.
Understood.
> After your answer, I propose to send a brief summary to debian-release and
> debian-devel, proposing reassign the bug to the release notes with the same
> severity.
Will you take care of that?
O.
--
Ondřej Surý <ondrej@sury.org>
Reply to: