Re: Review of php5-cgi NEWS file
Ondřej Surý wrote:
> could you please check the new paragraph I have just added to php5-cgi
> NEWS file? It should warn the people to check the PHP (mainly
> FastCGI) configuration as described in #687307.
That is:
| php5 (5.4.4-5) unstable; urgency=low
|
| Please be aware that the mime-support package has dropped non-standard
| definitions for PHP that might affect any systems using PHP 5 running
| as CGI or FastCGI. The following definitions were dropped:
This says that the mime-definitions might affect particular systems,
when what it ought to say is that the *change* might affect them, so
while I'm here I'll give it a minimal fix of s/ that/, which/
|
| application/x-httpd-php phtml pht php
| application/x-httpd-php-source phps
| application/x-httpd-php3 php3
| application/x-httpd-php3-preprocessed php3p
| application/x-httpd-php4 php4
| application/x-httpd-php5 php5
|
| The php5-cgi package mitigates any known issues by creating a (dummy)
| apache2 module php5_cgi with a configuration containing handlers for
| all previously defined extensions. Even though we believe that this
| configuration should keep your PHP scripts interpreted, it might be a
| good idea to check your apache2 site-wide configuration as well as
| any specific PHP configuration for websites running on your system.
I would suggest s/interpreted/working/, unless it really does mean
that there's a risk it'll cause your PHP scripts to become compiled
binaries instead.
| The new (dummy) php5_cgi configuration uses SetHandler directive and
| thus it might interfere with your existing custom configuration like
| FastCGI (mod_fcgid or mod_fastcgi). In that case please disable
| php5_cgi module (a2dismod php5_cgi) to reenable the existing
| functionality of your custom configuration. It is also advised that
| you check your custom configuration whether it's not vulnerable to
| foo.php.jpeg attacks. The php5_cgi configuration snippet can be used
| as base - it's important to use FilesMatch or Files directive to
| limit the handling to the last extension.
Yes, this has a few unidiomatic bits, though it's not hard to see
what it means:
The new (dummy) php5_cgi configuration uses the SetHandler directive,
which might interfere with existing custom configurations such as
FastCGI (mod_fcgid or mod_fastcgi). If so, you can reenable the
existing functionality of your custom configuration by disabling the
php5_cgi module (a2dismod php5_cgi), but you are also advised to
check whether your custom configuration is vulnerable to foo.php.jpeg
attacks. The php5_cgi configuration snippet can be used as a base -
it's important to use the FilesMatch or Files directive to limit the
handling to the last extension.
| As far as we know definitions from the mime-support packages are not
| used in any other webserver included in Debian, but it might affect
| any application which relies on system MIME types to interpret PHP
| files.
|
| -- Ondřej Surý <ondrej@debian.org> Wed, 15 Aug 2012 10:31:31 +0200
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
php5 (5.4.4-5) unstable; urgency=low
Please be aware that the mime-support package has dropped non-standard
definitions for PHP, which might affect any systems using PHP 5
running as CGI or FastCGI. The following definitions were dropped:
application/x-httpd-php phtml pht php
application/x-httpd-php-source phps
application/x-httpd-php3 php3
application/x-httpd-php3-preprocessed php3p
application/x-httpd-php4 php4
application/x-httpd-php5 php5
The php5-cgi package mitigates any known issues by creating a (dummy)
apache2 module php5_cgi with a configuration containing handlers for
all previously defined extensions. Even though we believe that this
configuration should keep your PHP scripts working, it might be a
good idea to check your apache2 site-wide configuration as well as
any specific PHP configuration for websites running on your system.
The new (dummy) php5_cgi configuration uses the SetHandler directive,
which might interfere with existing custom configurations such as
FastCGI (mod_fcgid or mod_fastcgi). If so, you can reenable the
existing functionality of your custom configuration by disabling the
php5_cgi module (a2dismod php5_cgi), but you are also advised to
check whether your custom configuration is vulnerable to foo.php.jpeg
attacks. The php5_cgi configuration snippet can be used as a base -
it's important to use the FilesMatch or Files directive to limit the
handling to the last extension.
As far as we know definitions from the mime-support packages are not
used in any other webserver included in Debian, but it might affect
any application which relies on system MIME types to interpret PHP
files.
-- Ondřej Surý <ondrej@debian.org> Wed, 15 Aug 2012 10:31:31 +0200
Reply to: