[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#762026: marked as done (php5-cgi + libapache2-mod-fcgid wheezy upgrade problem not documented well)

Your message dated Sun, 3 Mar 2019 20:35:55 +0100
with message-id <7b603213-96c5-8056-b6d3-7b2c7a62a7f6@debian.org>
and subject line close release-notes bugs for releases before stretch
has caused the Debian Bug report #762026,
regarding php5-cgi + libapache2-mod-fcgid wheezy upgrade problem not documented well
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
762026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762026
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Version: 7

Hi,

The squeeze to wheezy upgrade of php5-cgi fixes one security problem and
introduces another on some systems, by way of refusing to run some PHP code,
which in turn makes it expose PHP program source. The problem is documented
in #687307.

The file /usr/share/doc/php5-cgi/NEWS.Debian.gz had been updated to include:

  * As a side effect of the MIME-Type changes in the mime-support package,
    the default Apache 2 configuration will no longer perform HTTP content
    negotiation on the PHP file extensions, which was very questionable
    anyway.  If you really want to re-enable this support then please read
    /usr/share/doc/php5-common/README.Debian file for further
    instructions.

Unfortunately, this is just lousy documentation - it's both unlikely anyone
will see it before the dist-upgrade, and it's unlikely that they will
connect the dots between this mumbo jumbo up there and the actual symptoms
you observe following the upgrade.

The release notes mention a php5-suhosin problem already, which is great,
so they should also include something like this in roughly the same place:

	If you have installed both the php5-cgi and the libapache2-mod-fcgid
	package, and set up Apache so that .php files are processed through
	these two, the upgrade will enable a new Apache module configuration
	called 'php5_cgi', which in turn may conflict with this use case and
	introduce an information disclosure security problem if left
	unattended following the upgrade.

	Please read /usr/share/doc/php5-cgi/NEWS.Debian.gz for more
	information.

TIA.

-- 
     2. That which causes joy or happiness.

--- End Message ---
--- Begin Message --- 
Hi,

We are sorry that we were not able to handle your contribution or
suggestion for changes to the release-notes. I am going over old bugs
and I am closing all the items that were suggested for the release-notes
of Debian releases before stretch. On the good side, some even appear to
have been applied, without the bug being closed.

Please don't hesitate to open a new bug if you think your suggestion is
still valuable for the release-notes of buster. If you do that, we'd
appreciate it when you try to summarize the issue properly when the
closed bug was more than a couple of messages.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: