Charles, On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy <ple...@debian.org> wrote: > Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit : >> >> Question: Can any other webservers use mod_php? If so, they _might_ be >> vulnerable, as the supplied Apache config snippet probably doesn't apply >> to them. > >> Most people I know run either CGI (if just security >> counts) or FPM (if security and/or performance counts)... > >> > If upgrading to Wheezy would unconditionally break these systems, >> No,... this is not necessarily the case,.. if people have e.g. set their >> own handlers/mime-times for php in apache. > > Hi again, > > I have the following questions for the PHP maintainers. > > 1) Can libapache2-mod-php5 be vulnerable ?
I don't think so. And from my testing it doesn't seem to be the case. > 2) The user base of php5-cgi is thousands (see Popcon URL below). What > feedback > did you have from Sid and Wheezy users ? > > > http://qa.debian.org/popcon-graph.php?packages=php5-cgi+libapache2-mod-php5&show_vote=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1 None. > 3) Will upgrading unconditionally break sites using php5-cgi with Apache ? Probably. > 4) Would you like to implement some of Christoph's suggestion or add a NEWs > file to php5-cgi ? Yes, I will probably add NEWS file to php5-cgi. Do you already have some text which can be added to release notes or we still need to cook something up? I would like to keep this text in sync. > On mime-support's side, I will not add a NEWs file, as it would interrupt the > installation of tens of thousands of systems which do not run PHP. Understood. > After your answer, I propose to send a brief summary to debian-release and > debian-devel, proposing reassign the bug to the release notes with the same > severity. Will you take care of that? O. -- Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
