Debian Bug report logs - #613345
please document session.gc_maxlifetime being set to 0 in NEWS.Debian

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is (unknown);

Reported by: Pierre Habouzit <madcoder@debian.org>

Date: Mon, 14 Feb 2011 08:48:02 UTC

Severity: normal

Found in version php5/5.3.3-7

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#613345; Package libapache2-mod-php5. (Mon, 14 Feb 2011 08:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 14 Feb 2011 08:48:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libapache2-mod-php5
Version: 5.3.3-7
Severity: grave

The last php5 upload sets session.gc_probability to 0, which means that
sessions aren't GC'ed anymore which is a possible source for DOSes

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#613345; Package libapache2-mod-php5. (Mon, 14 Feb 2011 12:06:08 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 14 Feb 2011 12:06:08 GMT) (full text, mbox, link).

Message #10 received at 613345@bugs.debian.org (full text, mbox, reply):

close 613345
thank you

From php5-common.README.Debian:

Session storage
---------------

    Session files are stored in /var/lib/php5.  For security purposes, this
    directory is unreadable by non-root users.  This means that php5 running
    from apache2, for example, will not be able to clean up stale session
    files.  Instead, we have a cron job run every 30 mins that cleans up
    stale session files; /etc/cron.d/php5.  You may need to modify how
    often this runs, if you've modified session.gc_maxlifetime in your
    php.ini; otherwise, it may be too lax or overly aggressive in cleaning
    out stale session files.

Andres Salomon <dilinger@debian.org>  Fri, 03 Sep 2004 03:12:54 -0400


On Mon, Feb 14, 2011 at 09:44, Pierre Habouzit <madcoder@debian.org> wrote:
> Package: libapache2-mod-php5
> Version: 5.3.3-7
> Severity: grave
>
> The last php5 upload sets session.gc_probability to 0, which means that
> sessions aren't GC'ed anymore which is a possible source for DOSes
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Bug closed, send any further explanations to Pierre Habouzit <madcoder@debian.org> Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Mon, 14 Feb 2011 12:06:10 GMT) (full text, mbox, link).

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 14 Feb 2011 14:00:12 GMT) (full text, mbox, link).

Message #17 received at 613345@bugs.debian.org (full text, mbox, reply):

reopen 613345
retitle 613345 please document session.gc_maxlifetime being set to 0 in NEWS.Debian
severity 613345 normal
thanks

On Mon, Feb 14, 2011 at 01:03:44PM +0100, Ondřej Surý wrote:
> close 613345
> thank you
> 
> From php5-common.README.Debian:
> 
> Session storage
> ---------------
> 
>     Session files are stored in /var/lib/php5.  For security purposes, this
>     directory is unreadable by non-root users.  This means that php5 running
>     from apache2, for example, will not be able to clean up stale session
>     files.  Instead, we have a cron job run every 30 mins that cleans up
>     stale session files; /etc/cron.d/php5.  You may need to modify how
>     often this runs, if you've modified session.gc_maxlifetime in your
>     php.ini; otherwise, it may be too lax or overly aggressive in cleaning
>     out stale session files.
> 
> Andres Salomon <dilinger@debian.org>  Fri, 03 Sep 2004 03:12:54 -0400

Why wasn't it put in NEWS.Debian ?  I watch this file and wouldn't have
raised the bug if I had seen that.

This is a disruptive change that should go there.
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

Did not alter fixed versions and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 14 Feb 2011 14:00:13 GMT) (full text, mbox, link).

Changed Bug title to 'please document session.gc_maxlifetime being set to 0 in NEWS.Debian' from 'libapache2-mod-php5: gc_probability set to 0' Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Mon, 14 Feb 2011 14:00:14 GMT) (full text, mbox, link).

Severity set to 'normal' from 'grave' Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Mon, 14 Feb 2011 14:00:15 GMT) (full text, mbox, link).

Message #28 received at 613345@bugs.debian.org (full text, mbox, reply):

close 613345
thank you

I am sorry, but the cron job mechanism is there from php4 4:4.3.8-8
and it's well documented in php.ini (i.e. no change has happened from
2004). I don't really see a reason why we should put there in
NEWS.Debian now.

Ondrej

On Mon, Feb 14, 2011 at 14:57, Pierre Habouzit <madcoder@debian.org> wrote:
> reopen 613345
> retitle 613345 please document session.gc_maxlifetime being set to 0 in NEWS.Debian
> severity 613345 normal
> thanks
>
> On Mon, Feb 14, 2011 at 01:03:44PM +0100, Ondřej Surý wrote:
>> close 613345
>> thank you
>>
>> From php5-common.README.Debian:
>>
>> Session storage
>> ---------------
>>
>>     Session files are stored in /var/lib/php5.  For security purposes, this
>>     directory is unreadable by non-root users.  This means that php5 running
>>     from apache2, for example, will not be able to clean up stale session
>>     files.  Instead, we have a cron job run every 30 mins that cleans up
>>     stale session files; /etc/cron.d/php5.  You may need to modify how
>>     often this runs, if you've modified session.gc_maxlifetime in your
>>     php.ini; otherwise, it may be too lax or overly aggressive in cleaning
>>     out stale session files.
>>
>> Andres Salomon <dilinger@debian.org>  Fri, 03 Sep 2004 03:12:54 -0400
>
> Why wasn't it put in NEWS.Debian ?  I watch this file and wouldn't have
> raised the bug if I had seen that.
>
> This is a disruptive change that should go there.
> --
> ·O·  Pierre Habouzit
> ··O                                                madcoder@debian.org
> OOO                                                http://www.madism.org
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Mar 2011 07:36:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:53:13 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #613345 please document session.gc_maxlifetime being set to 0 in NEWS.Debian

Debian Bug report logs - #613345
please document session.gc_maxlifetime being set to 0 in NEWS.Debian