Your message dated Tue, 14 Oct 2008 14:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#495027: fixed in drupal5 5.10-2
has caused the Debian Bug report #495027,
regarding drupal5: Session table keeps growing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
495027: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495027
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: drupal5
Version: 5.9-1
Severity: minor
Tags: patch
I'm reporting this bug on behalf of Kamthorn Krairaksa, who found it a
year ago, as published in this blog (in Thai) [1], but felt reluctant to
report it himself.
[1]
http://kamthorn.org/2007/09/12/drupaldebian-%E0%B8%81%E0%B8%B1%E0%B8%9A%E0%B8%9B%E0%B8%B1%E0%B8%8D%E0%B8%AB%E0%B8%B2%E0%B8%95%E0%B8%B2%E0%B8%A3%E0%B8%B2%E0%B8%87-sessions-%E0%B9%82%E0%B8%95%E0%B8%82%E0%B8%B6%E0%B9%89%E0%B8%99
On Debian, user sessions in Drupal's database table keeps growing without
being garbage-collected, despite session.gc_maxlifetime being set to
lower number in php.ini. This can be serious problem for high-traffic
sites.
The problem is caused by php5 customization in Debian's php.ini to set GC
probability to zero:
---8<---
; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.
; This is disabled in the Debian packages, due to the strict permissions
; on /var/lib/php5. Instead of setting this here, see the cronjob at
; /etc/cron.d/php5, which uses the session.gc_maxlifetime setting below
;session.gc_probability = 0
session.gc_divisor = 100
---8<---
And GC is instead done with cron job, which simply clears sessions by
removing aged files in /var/lib/php5/, as follows:
---8<---
# Look for and purge old sessions every 30 minutes
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d
/var/lib/php5 ] && find /var/lib/php5/ -type f -cmin
+$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
---8<---
However, what's required for Drupal is to call sess_gc() so that the SQL
query to delete aged rows from sessions table is executed. So, Drupal
requires an exception from the above customization.
One possible fix is to add these lines to sites/default/settings.php to
override it:
---8<---
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);
---8<---
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages drupal5 depends on:
ii apache2 2.2.9-6 Apache HTTP Server metapackage
ii apache2-mpm-worker [httpd] 2.2.9-6 Apache HTTP Server - high speed th
ii curl 7.18.2-5 Get a file from an HTTP, HTTPS or
ii dbconfig-common 1.8.39 common framework for packaging dat
ii debconf 1.5.22 Debian configuration management sy
ii exim4 4.69-6 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.69-6 lightweight Exim MTA (v4) daemon
ii php5 5.2.6-2 server-side, HTML-embedded scripti
ii php5-gd 5.2.6-2+b1 GD module for php5
ii php5-pgsql 5.2.6-2+b1 PostgreSQL module for php5
ii postgresql-client-8.2 [postgr 8.2.7-2+b1 front-end programs for PostgreSQL
ii postgresql-client-8.3 [postgr 8.3.3-1 front-end programs for PostgreSQL
ii wwwconfig-common 0.1.2 Debian web auto configuration
Versions of packages drupal5 recommends:
pn mysql-server | postgresql <none> (no description available)
drupal5 suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: drupal5
Source-Version: 5.10-2
We believe that the bug you reported is fixed in the latest version of
drupal5, which is due to be installed in the Debian FTP archive:
drupal5_5.10-2.diff.gz
to pool/main/d/drupal5/drupal5_5.10-2.diff.gz
drupal5_5.10-2.dsc
to pool/main/d/drupal5/drupal5_5.10-2.dsc
drupal5_5.10-2_all.deb
to pool/main/d/drupal5/drupal5_5.10-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <[EMAIL PROTECTED]> (supplier of updated drupal5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 14 Oct 2008 15:45:38 +0200
Source: drupal5
Binary: drupal5
Architecture: source all
Version: 5.10-2
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <[EMAIL PROTECTED]>
Changed-By: Luigi Gangitano <[EMAIL PROTECTED]>
Description:
drupal5 - a fully-featured content management framework
Closes: 494208 494537 495027 498806 501063 501635
Changes:
drupal5 (5.10-2) unstable; urgency=high
.
[Luigi Gangitano]
* Urgency high due to security fixes
.
* debian/po/it.po
- Updated Italian debconf translation, thanks to Luca Monducci
(Closes: #494537)
.
* debian/cron.sh
- Fixed error when BASE_URL is not cleaned (Closes: #494208, #498806)
.
* debian/README.Debian
- Added a notice about cookie security and session.cookie_secure
configuration (Ref: CVE-2008-3661) (Closes: #501063)
.
* debian/patches/11-SA-2008-060
- Added upstream patch fixing several security vulnerabilities
(Ref: SA-2008-060, CVE-TBA) (Closes: #501635)
.
* debian/etc/settings.php
- Added exception to Debian PHP session customization allowing for
session table rows aging and removal, thanks to Kamthorn Krairaksa
and Theppitak Karoonboonyanan. (Closes: #495027)
Checksums-Sha1:
2bae05e6f78374a54570c0037a640e3caf5338b5 1082 drupal5_5.10-2.dsc
76217f2dfe2449afc2e8ce5c364088f4041b1b15 28436 drupal5_5.10-2.diff.gz
ed2c0bfe4507d71972572b60914b65b85b586b3e 783422 drupal5_5.10-2_all.deb
Checksums-Sha256:
f55fe4a7f0077d915006dcf68b8e7a2121e5f7ef57b7dc3574097f278bac53c5 1082
drupal5_5.10-2.dsc
2eb77da7cb68fe379cef91139c4e79925969c30c88bb3d212781ae6d04113a15 28436
drupal5_5.10-2.diff.gz
8d651741e3d6514b56218dd078950bd791d5a37a920adb2f5c1630fdd86d71ca 783422
drupal5_5.10-2_all.deb
Files:
d49cdb44265b687c27d3fe91fcc44da4 1082 web extra drupal5_5.10-2.dsc
53ce1c7e502a6a380f57ffee730f43bb 28436 web extra drupal5_5.10-2.diff.gz
c3fc87c357e12116976d8f631e4aa297 783422 web extra drupal5_5.10-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAkj0q7wACgkQ8ZumGJJMDCbElwCfbaEDLohwpB3XG1ed0u+MsBQO
dcIAn2/0ev8FBJXW7wG2mCcvZRY+17TT
=QZwk
-----END PGP SIGNATURE-----
--- End Message ---
