Hey Russ, Marco. On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote: > > thousands of installations wich report the use of php5-cgi according to the > > Popularity Contest statistics. > Yes, because sensible people who need PHP will try to use it as > CGI/FastCGI (or FPM, finally in wheezy). Well... unfortunately upstream is quite stupid (to be honest) in that they suggest mod_php as default. It's from a security point of view the worst possible solution and from a performance view at least not better than FPM (likely worse). I would like to see Debian deviate from this and actively suggest CGI or FCGI... but all my notes towards this were immediately turned down and I did not even succeed in convincing them in adding far less intrusive security and/or performance optimisations (just have a look at #674205) But if anyone would lobby that (release goal: default to CGI/FCGI), they'd have definitely my support :) > I think that this entry is too mild/vague: > - "including but possibly not limited to the Apache HTTPD Server": such > a major issue justifies being specific about the affected packages The reason why I wrote it that vague is, that you cannot definitely tell whether a package is vulnerable or not, because it's not the package but the configuration. So if one made his own Apache config, used RemoveType php as I suggested in the respective bugs and set the types new, one would be perfectly safe. And further,... at least I was not able to make a definite list even of possibly affected packages. Apache with PHP-CGI/FCGI is affected for sure... mod_php not, but only because Ondrej included a sane default config for this. > I am also concerned that a *simple* solution to restore the old > behaviour in a secure way is not provided: maybe php5-cgi should install > a sensible default configuration in /etc/apache2/conf.d/ ? That was just the idea I had yesterday night, but I haven't had time yet to file a bug for it. But actually I'd suggest that this goes to php5-common, and ALL PHP SAPIs share a single conf. Nevertheless,... this solves the issue ONLY for apache,... and won't save use (at least if we don't ignore the security of our users) from adding notes in NEWS file and release notes. Cheers, Chris.
Description: S/MIME cryptographic signature