Bug#271945: apache in woody is missing security patches/updates
Package: apache Version: 1.3.26-0woody5 Tags: woody, security In 1.3.28 there is a patch that prevents file descriptors leaking to child processes, this is not present. This causes processes spawned by php (in this case 4.1.2-6woody3, not tested 4.1.2-7.0.1 yet) to have full access to the apache logs, sockets etc. I suggest this patch could be backported.
Bug#271945: apache in woody is missing security patches/updates
Maintainers, please raise the severity of this bug and contact the security team if this is an urgent issue. -- - mdz
Re: Bug#271945: apache in woody is missing security patches/updates
On Thu, 16 Sep 2004, Matt Zimmerman wrote: Maintainers, please raise the severity of this bug and contact the security team if this is an urgent issue. Please can we have at least the CAN number and reference? Joey has been keeping track of this iirc. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Bug#271945: apache in woody is missing security patches/updates
On Thu, Sep 16, 2004 at 10:09:19PM +0200, Fabio Massimo Di Nitto wrote: On Thu, 16 Sep 2004, Matt Zimmerman wrote: Maintainers, please raise the severity of this bug and contact the security team if this is an urgent issue. Please can we have at least the CAN number and reference? Joey has been keeping track of this iirc. I thisk this refers to the follow upstream changelog entry: *) Certain 3rd party modules would bypass the Apache API and not invoke ap_cleanup_for_exec() before creating sub-processes. To such a child process, Apache's file descriptors (lock fd's, log files, sockets) were accessible, allowing them direct access to Apache log file etc. Where the OS allows, we now add proactive close functions to prevent these file descriptors from leaking to the child processes. [Jim Jagielski, Martin Kraemer] This is a workaround for security bugs in third-party mobules (which ones?), and not a security fix in itself. -- - mdz