On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote: > I am also concerned that a *simple* solution to restore the old > behaviour in a secure way is not provided: maybe php5-cgi should install > a sensible default configuration in /etc/apache2/conf.d/ ? Again, I don't think this saves us from the current need for a NEWS file and release notes entry, but... I've opened #685340, proposing: a) a single php config file for Apache, that enables the MIME-Types (or handlers) b) but that does _not_ enable (Action and ScriptAlias directives) PHP globally on the server. I think this is unclean and not the best with regards to security. Also not any possible vhost needs the mapping to /cgi-bin/. The goal should be that sysadmins (or package maintainers) set the Action and ScriptAlias directives in their config snippets... But this is definitely something for jessie. Cheers, Chris.
Description: S/MIME cryptographic signature