Package: apache Version: 1.3.26-0woody5 Tags: woody, security
In 1.3.28 there is a patch that prevents file descriptors leaking to child processes, this is not present. This causes processes spawned by php (in this case 4.1.2-6woody3, not tested 4.1.2-7.0.1 yet) to have full access to the apache logs, sockets etc.
I suggest this patch could be backported.
