Re: Possible release note for systems running PHP through CGI.

To: debian-release@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: Possible release note for systems running PHP through CGI.
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Mon, 20 Aug 2012 00:58:42 +0200
Message-id: <[🔎] 1345417122.3276.44.camel@fermat.scientia.net>
In-reply-to: <[🔎] 20120819203220.GA8158@bongo.bofh.it>
References: <[🔎] 20120819021726.GC20875@falafel.plessy.net> <[🔎] 20120819203220.GA8158@bongo.bofh.it>

Hey Russ, Marco.

On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote:
> >    thousands of installations wich report the use of php5-cgi according to the
> >    Popularity Contest statistics.
> Yes, because sensible people who need PHP will try to use it as 
> CGI/FastCGI (or FPM, finally in wheezy).
Well... unfortunately upstream is quite stupid (to be honest) in that
they suggest mod_php as default.
It's from a security point of view the worst possible solution and from
a performance view at least not better than FPM (likely worse).

I would like to see Debian deviate from this and actively suggest CGI or
FCGI... but all my notes towards this were immediately turned down and I
did not even succeed in convincing them in adding far less intrusive
security and/or performance optimisations (just have a look at #674205)

But if anyone would lobby that (release goal: default to CGI/FCGI),
they'd have definitely my support :)

> I think that this entry is too mild/vague:
> - "including but possibly not limited to the Apache HTTPD Server": such 
>   a major issue justifies being specific about the affected packages
The reason why I wrote it that vague is, that you cannot definitely tell
whether a package is vulnerable or not, because it's not the package but
the configuration.
So if one made his own Apache config, used RemoveType php as I suggested
in the respective bugs and set the types new, one would be perfectly
safe.

And further,... at least I was not able to make a definite list even of
possibly affected packages.
Apache with PHP-CGI/FCGI is affected for sure... mod_php not, but only
because Ondrej included a sane default config for this.

> I am also concerned that a *simple* solution to restore the old 
> behaviour in a secure way is not provided: maybe php5-cgi should install 
> a sensible default configuration in /etc/apache2/conf.d/ ?
That was just the idea I had yesterday night, but I haven't had time yet to file a bug for it.
But actually I'd suggest that this goes to php5-common, and ALL PHP
SAPIs share a single conf.

Nevertheless,... this solves the issue ONLY for apache,... and won't
save use (at least if we don't ignore the security of our users) from
adding notes in NEWS file and release notes.

Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

Follow-Ups:
- Re: Possible release note for systems running PHP through CGI.
  - From: Jon Dowland <jmtd@debian.org>

References:
- Possible release note for systems running PHP through CGI.
  - From: Charles Plessy <plessy@debian.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: md@Linux.IT (Marco d'Itri)

Prev by Date: Re: Enabling uupdate to simply remove files from upstream source (Was: Minified javascript files)
Next by Date: Re: Bug#684396: ITP: openrc -- alternative boot mechanism that manages the services, startup and shutdown of a host
Previous by thread: Re: Possible release note for systems running PHP through CGI.
Next by thread: Re: Possible release note for systems running PHP through CGI.
Index(es):
- Date
- Thread