Package: release-notes Version: 7 Hi,
The squeeze to wheezy upgrade of php5-cgi fixes one security problem and introduces another on some systems, by way of refusing to run some PHP code, which in turn makes it expose PHP program source. The problem is documented in #687307. The file /usr/share/doc/php5-cgi/NEWS.Debian.gz had been updated to include: * As a side effect of the MIME-Type changes in the mime-support package, the default Apache 2 configuration will no longer perform HTTP content negotiation on the PHP file extensions, which was very questionable anyway. If you really want to re-enable this support then please read /usr/share/doc/php5-common/README.Debian file for further instructions. Unfortunately, this is just lousy documentation - it's both unlikely anyone will see it before the dist-upgrade, and it's unlikely that they will connect the dots between this mumbo jumbo up there and the actual symptoms you observe following the upgrade. The release notes mention a php5-suhosin problem already, which is great, so they should also include something like this in roughly the same place: If you have installed both the php5-cgi and the libapache2-mod-fcgid package, and set up Apache so that .php files are processed through these two, the upgrade will enable a new Apache module configuration called 'php5_cgi', which in turn may conflict with this use case and introduce an information disclosure security problem if left unattended following the upgrade. Please read /usr/share/doc/php5-cgi/NEWS.Debian.gz for more information. TIA. -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org