Your message dated Thu, 18 Oct 2007 15:03:30 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#416424: fixed in suphp 0.6.2-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: libapache-mod-suphp Version: 0.5.2-3 Severity: critical There seems to be a serious security bug when using suphp with apache 1.3.x on Sarge (and also on Etch). Due to a bug in the suphp (or apache) package it is necessary to use AddHandler x-httpd-php .php instead of the preferred AddType x-httpd-php .php Because of this a file called \'image.php.jpg\' is interpreted and executed as a PHP file (not as an image). Which makes the execution of arbitrary code possible when (for example) a poorly written image-upload form fails to properly check the file-extension. More info can be found here: http://www.mail-archive.com/[EMAIL PROTECTED]/msg00065.html Note: Apache2 doesn\'t seem affected. It however generates a \'[warn] Cannot get media type from x-httpd-php\' warning in the apache error-log, each time a php-file is called upon. Regards, Fili
--- End Message ---
--- Begin Message ---Source: suphp Source-Version: 0.6.2-2 We believe that the bug you reported is fixed in the latest version of suphp, which is due to be installed in the Debian FTP archive: libapache2-mod-suphp_0.6.2-2_i386.deb to pool/main/s/suphp/libapache2-mod-suphp_0.6.2-2_i386.deb suphp-common_0.6.2-2_i386.deb to pool/main/s/suphp/suphp-common_0.6.2-2_i386.deb suphp_0.6.2-2.diff.gz to pool/main/s/suphp/suphp_0.6.2-2.diff.gz suphp_0.6.2-2.dsc to pool/main/s/suphp/suphp_0.6.2-2.dsc A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Lacour <[EMAIL PROTECTED]> (supplier of updated suphp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 14 Oct 2007 19:42:30 +0200 Source: suphp Binary: libapache2-mod-suphp suphp-common Architecture: source i386 Version: 0.6.2-2 Distribution: unstable Urgency: low Maintainer: [EMAIL PROTECTED] Changed-By: Emmanuel Lacour <[EMAIL PROTECTED]> Description: libapache2-mod-suphp - Apache2 module to run php scripts with the owner permissions suphp-common - Common files for mod suphp Closes: 416424 429079 Changes: suphp (0.6.2-2) unstable; urgency=low . * remove apache 1.x package (closes: #429079) * debian/rules, debian/compat, debian/control: lintian cleanup * debian/conf/suphp.conf, debian/patches/01_debian.dpatch: replaced AddHandler by AddType and x-httpd-php by application/x-httpd-php to get the same behavior as mod php with filenames extensions (closes: #416424) Files: 6cc2c78e737f46e07bae8861fb5eb4c3 733 web optional suphp_0.6.2-2.dsc fece84144ec27630ab83b4c7ebd68b39 82062 web optional suphp_0.6.2-2.diff.gz e7afcb27c06eee8d1387df76698eb874 78610 web optional suphp-common_0.6.2-2_i386.deb e571f7497b35654ab5fc83f9a7365c5c 16668 web optional libapache2-mod-suphp_0.6.2-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHF3ImoR3LsWeD7V4RAgluAJ9OQzlK5gHug4m4+l+fUkcCqlM3aQCglZn2 xrj1Cx1xKlM3MVxEEsGMR2k= =v8gU -----END PGP SIGNATURE-----
--- End Message ---
