Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Hi Charles. On Thu, 2012-10-11 at 09:06 +0900, Charles Plessy wrote: > Do you think that there is a way to fix #589384 (the *.php.foo problem) > without removing the application/x-httpd-* media types ? I would say no, well at least not if we also want to use these media types later on in Apache to select something for interpretation. The problem with using /etc/mime.types via the TypesConfig directive in Apache is the usual with Apache: Most mod_mime directives (and maybe also others) will assign a media type if just any extension (i.e. also the foo in file.foo.bar) matches. The usual way around this is to place these directives in e.g. or TypesConfig however is a server wide scope directive, so this won't work here. As I mentioned previously, I think it's very dangerous to use TypesConfig per default. It's evil by design and people should need to intentionally enable it (and then hopefully know what they're doing). I really think we should not fiddle around with mime-types anymore, or better: I think we should stop using it to "enable files for interpretation", even if that may break now some setups. Of course we should provide release notes hints on how to make them work again, which is usually quite easy. Also, please consider that people using "advanced" stuff like FastCGI can be expected to know what they're doing. > I did not realise before that in the current release cycle, Apache stays at > version 2.2 and that in Jessie, configurations will need to be re-adjusted > anyway. It would of course be nice, if we could postpone this to jessie, but... > I think that it is a good argument for a compromise, provided that > #589384 stays solved and that we agree that in Jessie the media types > application/x-httpd-* will be removed from /etc/mime.types. Right now I see no way to prevent the evil.php.jpeg issue otherwise. And note especially, that also FastCGI is in principle vulnerable to this. Though I haven't checked right now, how they actually select the PHP files for interpretation (which may or may not prevent the issue). > easy way to adjust the priority of > the SetHandler statement of php5_cgi.conf I think it's determined by the loading order... which makes it basically impossible IMHO to really make sure it gets loaded as we want it to. > in a way that does not break FastCGI > configurations. Even then we need to check whether fastcgi or fcgid are vulnerable to the evil.php.jpeg isseu. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Oh and one more thing (even though this is PHP unrelated): Maybe I misunderstand something but it seems both: libapache2-mod-fcgid, which uses: AddHandlerfcgid-script .fcgi FcgidConnectTimeout 20 and libapache2-mod-fastcgi, which uses: AddHandler fastcgi-script .fcgi #FastCgiWrapper /usr/lib/apache2/suexec FastCgiIpcDir /var/lib/apache2/fastcgi are highly vulnerable to the evil.fcgi.jpeg issue... Can you confirm this? Cause then we need to open some critical bugs. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#690232: apache2: Apache2 listens on tcp6 only
Package: apache2.2-common Version: 2.2.16-6+squeeze8 Severity: normal -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env mime negotiation php5 reqtimeout setenvif status List of enabled php5 extensions: mysql mysqli pdo pdo_mysql suhosin -- System Information: Debian Release: 6.0.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2 depends on: ii apache2-mpm-prefork2.2.16-6+squeeze8 Apache HTTP Server - traditional n ii apache2.2-common 2.2.16-6+squeeze8 Apache HTTP Server common files apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.16-6+squeeze8 utility programs for webservers ii apache2.2-bin 2.2.16-6+squeeze8 Apache HTTP Server common binary f ii libmagic1 5.04-5+squeeze2 File type determination library us ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1MIME files 'mime.types' & 'mailcap ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction ii procps 1:3.2.8-9squeeze1 /proc file system utilities -- no debconf information after restarting apache2, I see: # netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1415/sshd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 7985/master tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 5908/mysqld tcp0 0 10.52.152.164:2210.52.81.146:49538 ESTABLISHED 1433/0 tcp0 0 10.52.152.164:2210.52.81.146:50363 ESTABLISHED 10488/2 tcp0 0 10.52.152.164:2210.52.81.146:49909 ESTABLISHED 4229/1 tcp6 0 0 :::80 :::*LISTEN 10525/apache2 tcp6 0 0 :::22 :::*LISTEN 1415/sshd ports.conf is default: NameVirtualHost *:80 Listen 80 So I did a "echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf && reboot" with the following result: # netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1249/apache2 tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1521/sshd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1655/master tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1489/mysqld tcp0 52 10.52.152.164:2210.52.81.146:50385 ESTABLISHED 1742/0 -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e75d39bad48455084ee47d614aadabbf@localhost
Bug#690232: apache2: Apache2 listens on tcp6 only
On 10/11/2012 2:11 PM, Olaf Zaplinski wrote: > after restarting apache2, I see: > > # netstat -tanp > ESTABLISHED 4229/1 > tcp6 0 0 :::80 :::*LISTEN > 10525/apache2 > tcp6 0 0 :::22 :::*LISTEN > 1415/sshd > > ports.conf is default: > NameVirtualHost *:80 > Listen 80 > > > So I did a > "echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf && > reboot" with the following result: > > # netstat -tanp > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > PID/Program name > tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN > 1249/apache2 > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > 1521/sshd > tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN > 1655/master > tcp0 0 127.0.0.1:3306 0.0.0.0:* LISTEN > 1489/mysqld > tcp0 52 10.52.152.164:2210.52.81.146:50385 > ESTABLISHED 1742/0 > Unless you have: cat /proc/sys/net/ipv6/bindv6only 0 set to 1, you are simply misreading the output of netstat. If bindv6only is to 0 a socket listening to :::80 means that it is operating on both IPv4 and IPv6. By default the kernel sets bindv6only to 0 on linux. Fabio -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5076bad2.3010...@fabbione.net
Bug#690232: apache2: Apache2 listens on tcp6 only
Hi, funny is: I disabled IPv6, now everything works as expected. Olaf -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e7be027ab78b0ecb33bb9908941625c@localhost
