Your message dated Sat, 25 Aug 2012 11:26:25 +0900
with message-id <20120825022625.ga2...@falafel.plessy.net>
and subject line This bug was fixed in php5/5.4.4-5
has caused the Debian Bug report #674089,
regarding mime-support: removed application/x-httpd-* can lead to immense
security problems
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
674089: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mime-support
Version: 3.52-1
Severity: critical
Tags: security
Justification: breaks unrelated software
Hi.
In 3.52-1 you removed application/x-httpd-* to close #589384.
This happened without any notice to the NEWS files and I really
wonder whether any though has been spent on which tremendous
security effects this can have.
Given that most people (reasonably) rely on /etc/mime.types
to determine the MIME type for files e.g. with Apache removal
of the above means e.g. that php scripts are no longer determined
as such, but now diretcly shown as text files.
With all secruity effects you can think of and all you even can't
think of.
And of course it breaks countless of working installations
using e.g. php.
a) If you make such a tremendous change you have to announce it
in the release file.
b) Removing the type is definitly the wrong decision.
Apache provides many means to change the handlers and if all that
shouldn't work (which I doubt) on can simply disable the use of
/etc/mime.types.
It's not the business of mime.type to please any specifc user,...
like it seems to me with the aforementioned bug.
Nor should it be mime.type's business to please any software if that
was borken (but as said, apache is not).
Obviously application/x-* are not official flags, but if that was
the reason we'd have to remove much more than just the php ones.
Cheers,
Chris.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
mime-support depends on no packages.
Versions of packages mime-support recommends:
ii file 5.11-1
mime-support suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: php5/5.4.4-5
As per http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#206
--
Charles Plessy
Tsurumi, Kanagawa, Japan
--- End Message ---
