Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit : > > Question: Can any other webservers use mod_php? If so, they _might_ be > vulnerable, as the supplied Apache config snippet probably doesn't apply > to them. > Most people I know run either CGI (if just security > counts) or FPM (if security and/or performance counts)... > > If upgrading to Wheezy would unconditionally break these systems, > No,... this is not necessarily the case,.. if people have e.g. set their > own handlers/mime-times for php in apache.
Hi again, I have the following questions for the PHP maintainers. 1) Can libapache2-mod-php5 be vulnerable ? 2) The user base of php5-cgi is thousands (see Popcon URL below). What feedback did you have from Sid and Wheezy users ? http://qa.debian.org/popcon-graph.php?packages=php5-cgi+libapache2-mod-php5&show_vote=on&from_date=&to_date=&hlght_date=&date_fmt=%25Y-%25m&beenhere=1 3) Will upgrading unconditionally break sites using php5-cgi with Apache ? 4) Would you like to implement some of Christoph's suggestion or add a NEWs file to php5-cgi ? On mime-support's side, I will not add a NEWs file, as it would interrupt the installation of tens of thousands of systems which do not run PHP. After your answer, I propose to send a brief summary to debian-release and debian-devel, proposing reassign the bug to the release notes with the same severity. Have a nice day, -- Charles Plessy Co-maintainer of the mime-support package Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
