Debian Bug report logs - #687307
Security issue after PHP upgrade

version graph

Package: php5-cgi; Maintainer for php5-cgi is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5-cgi is src:php5.

Reported by: Dmitry Kolesnikov <kastaneda@gmail.com>

Date: Tue, 11 Sep 2012 15:48:01 UTC

Severity: normal

Merged with 687418, 689440

Found in version php5/5.4.4-7

Fixed in versions php5/5.4.8-1, php5/5.4.4-9

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Tue, 11 Sep 2012 15:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dmitry Kolesnikov <kastaneda@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 11 Sep 2012 15:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dmitry Kolesnikov <kastaneda@gmail.com>
To: submit@bugs.debian.org
Subject: Security issue after PHP upgrade
Date: Tue, 11 Sep 2012 18:44:37 +0300
Package: php5-cgi
Version: 5.4.4-7

I use FastCGI version of PHP and I have manually configured Apache's
mod_fcgid and mod_suexec. After upgrade php5_cli to 5.4.4-7, Apache
suddenly began to pass source PHP scripts without handling. This can
be a serious security concern for those sites that do not store
sensitive scripts (like configuration of database connections) outside
of document root.

After performing a2dismod php5_cgi everything returned to normal. I
guess this is impact of the bug #685340.

Here is some piece of my configuration files, with real domain
replaced to 'example.com' and username replaced to 'example':


/etc/apache2/conf.d/php-fcgid
=====================

Alias       /fcgi-bin/  /var/www/fcgi-bin.d/

ProcessLifeTime         3600
MaxRequestsPerProcess   20000
FcgidMaxRequestLen      10485760
FcgidPassHeader         AUTHORIZATION

<Location /fcgi-bin/>
        SetHandler      fcgid-script
        Options         +ExecCGI
</Location>


/etc/apache2/sites-enabled/example.com
=====================

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    DocumentRoot /var/www/example.com
    <Directory /var/www/example.com>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    AddHandler          php-fcgi    .php
    Action              php-fcgi    /fcgi-bin/example/php-fcgi-wrapper
    SuexecUserGroup     example example

    ErrorLog ${APACHE_LOG_DIR}/example.com/error.log
    CustomLog ${APACHE_LOG_DIR}/example.com/access.log combined
</VirtualHost>


/var/www/fcgi-bin.d/gray/php-fcgi-wrapper
=====================

#!/bin/sh
export PHPRC=/etc/php5/cgi
export PHP_FCGI_MAX_REQUESTS=25000
exec /usr/bin/php5-cgi


For this configuration, a2enmod'ed php5_cgi and Drupal website it's
possible to see the MySQL password in the cleartext when requesting
/sites/default/settings.php on that site.



Merged 687307 687418 Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Wed, 12 Sep 2012 15:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 15:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 15:33:06 GMT) Full text and rfc822 format available.

Message #12 received at 687307@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Christoph Anton Mitterer <calestyo@scientia.net>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>
Cc: pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 17:28:44 +0200
On Mon, Sep 17, 2012 at 4:35 PM, Konstantin Khomoutov
<flatworm@users.sourceforge.net> wrote:
[...snip...]
> I'm by no means an expert in setting up this sort of complicated stuff
> in Apache, so I can't really tell if this new change in php5 packaging
> introduces a regression or it's just a misconfiguration on my part.
> In the latter case, it would be cool if someone could provide me with
> any hints on how to configure handling of PHP scripts by FastCGI
> server-wide (rather than patching each PHP-enabled vhost using that
> <FilesMatch> override).  Any suggestions?

The NEWS file for php5-cgi which you ought to read when upgrading reads:

--cut here--
php5 (5.4.4-5) unstable; urgency=low

 Please be aware that the mime-support package has dropped non-standard
 definitions for PHP that might affect any systems using PHP 5 running
 as CGI or FastCGI.  The following definitions were dropped:

  application/x-httpd-php                        phtml pht php
  application/x-httpd-php-source                 phps
  application/x-httpd-php3                       php3
  application/x-httpd-php3-preprocessed          php3p
  application/x-httpd-php4                       php4
  application/x-httpd-php5                       php5

 The php5-cgi package mitigates any known issues by creating a (dummy)
 apache2 module php5_cgi with a configuration containing handlers for
 all previously defined extensions.  ****Even though we believe that this
 configuration should keep your PHP scripts interpreted, it might be a
 good idea to check your apache2 site-wide configuration as well as
 any specific PHP configuration for websites running on your system.****

 As far as we know definitions from the mime-support packages are not
 used in any other webserver included in Debian, but it might affect
 any application which relies on system MIME types to interpret PHP
 files.
--cut here--

I am currently thinking how to accomodate all types of users (cgi and
fastcgi), but I haven't come to any conclusion yet. If you have an
idea, how to not break the configuration for neither CGI nor FastCGI
users, feel free to share.

O.
-- 
Ondřej Surý <ondrej@sury.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 16:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 16:09:08 GMT) Full text and rfc822 format available.

Message #17 received at 687307@bugs.debian.org (full text, mbox):

From: Konstantin Khomoutov <flatworm@users.sourceforge.net>
To: Konstantin Khomoutov <flatworm@users.sourceforge.net>
Cc: Ondřej Surý <ondrej@debian.org>, Christoph Anton Mitterer <calestyo@scientia.net>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 20:04:30 +0400
On Mon, 17 Sep 2012 19:57:57 +0400
Konstantin Khomoutov <flatworm@users.sourceforge.net> wrote:

[...]
> Or is the correct thing for me is to just change
> 
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
>     SetHandler application/x-httpd-php
> </FilesMatch>
> 
> to
> 
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
>     SetHandler fcgid-script
> </FilesMatch>
> 
> ?

Answering to myself:

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler fcgid-script
    FcgidWrapper /usr/bin/php-cgi
</FilesMatch>

does really fix my problem server-wide.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 16:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 16:12:03 GMT) Full text and rfc822 format available.

Message #22 received at 687307@bugs.debian.org (full text, mbox):

From: Konstantin Khomoutov <flatworm@users.sourceforge.net>
To: Ondřej Surý <ondrej@debian.org>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Christoph Anton Mitterer <calestyo@scientia.net>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 19:57:57 +0400
On Mon, 17 Sep 2012 17:28:44 +0200
Ondřej Surý <ondrej@debian.org> wrote:

> > I'm by no means an expert in setting up this sort of complicated
> > stuff in Apache, so I can't really tell if this new change in php5
> > packaging introduces a regression or it's just a misconfiguration
> > on my part. In the latter case, it would be cool if someone could
> > provide me with any hints on how to configure handling of PHP
> > scripts by FastCGI server-wide (rather than patching each
> > PHP-enabled vhost using that <FilesMatch> override).  Any
> > suggestions?
> 
> The NEWS file for php5-cgi which you ought to read when upgrading
> reads:
> 
> --cut here--
> php5 (5.4.4-5) unstable; urgency=low
> 
>  Please be aware that the mime-support package has dropped
> non-standard definitions for PHP that might affect any systems using
> PHP 5 running as CGI or FastCGI.  The following definitions were
[...]
>  all previously defined extensions.  ****Even though we believe that
> this configuration should keep your PHP scripts interpreted, it might
> be a good idea to check your apache2 site-wide configuration as well
> as any specific PHP configuration for websites running on your
> system.****
[...]
> --cut here--
> 
> I am currently thinking how to accomodate all types of users (cgi and
> fastcgi), but I haven't come to any conclusion yet. If you have an
> idea, how to not break the configuration for neither CGI nor FastCGI
> users, feel free to share.

The problem is that I did read the release notes [*], but I failed to
make out any connection between MIME types and FastCGI; unfortunately
I'm not able to make it out completely even now.

Let me try to explain.
The configuration snippet which used to work for me, that is,

<IfModule mod_fcgid.c>
  AddHandler   fcgid-script .php
  FCGIWrapper  /usr/bin/php-cgi .php
</IfModule>

does not mention any MIME types, I mean there's nothing referring to
things like "application/x-httpd-php" -- the snippet just basically
sets a handler for files ending in ".php" and then defines which binary
should serve as a handler for such files.  Consequently, when I'm
reading about changes in certain stuff involving MIME types, this does
not ring any bell for me as I'm not using that.

To me, it seems that the newly added snippet

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

somehow has higher priority (or gets parsed later maybe?) than my
FastCGI config so that my AddHandler directive is effectively cancelled.
Is that correct?

In this case the correct approach to fix my setup seems to be somehow
setting that files assigned a handler "application/x-httpd-php" should
be served using FastCGI mechanics.  Can this be achieved?
To me, it looks like the handler name "fcgid-script" is builtin to
mod_fcgid, so the answer is "no".

Or is the correct thing for me is to just change

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

to

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler fcgid-script
</FilesMatch>

?

In the latter case, I think the README.Debian file could just include
an entry on changing the default configuration to accomodate CGI or
FastCGI setups and the NEWS file could just redirect the user there.

[*] The funny thing is that I event proposed a small language-related
    fix to the first draft of this NEWS file entry on debian-devel ;-)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 17:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 17:06:03 GMT) Full text and rfc822 format available.

Message #27 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Konstantin Khomoutov <flatworm@users.sourceforge.net>
Cc: Ondřej Surý <ondrej@debian.org>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 18:53:50 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-09-17 at 19:57 +0400, Konstantin Khomoutov wrote:
> The configuration snippet which used to work for me, that is,
> 
> <IfModule mod_fcgid.c>
>   AddHandler   fcgid-script .php
>   FCGIWrapper  /usr/bin/php-cgi .php
> </IfModule>
> 
> does not mention any MIME types, I mean there's nothing referring to
> things like "application/x-httpd-php"
Well...

1) The relation to MIME-Types is only a _previous_ one... when the MIME
type definition from the mime-support package was used to get php files
interpreted.


2) Ondrej, I've already planned to suggest you... to change the
_handler_ name "application/x-httpd-php" that we now use throughout the
packages to someting like "php-script"...
It easily confuses people that this would be a MIME type,... while it is
actually a handler.


> To me, it seems that the newly added snippet
> 
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
>     SetHandler application/x-httpd-php
> </FilesMatch>
> 
> somehow has higher priority (or gets parsed later maybe?) than my
> FastCGI config so that my AddHandler directive is effectively cancelled.
> Is that correct?
3) Yes, that's the case...
In principle we tried to explain in the NEWS file what has happened,...
obviously we cannot cover _any_ possible setup where this could occur
somehow; there are simply way too much possible and complex
configurations

In principle "you" as an administrator are expected to understand how
your own setup works,... raise your head when you read that NEWS
file.... and realise that you could be affected.


> To me, it looks like the handler name "fcgid-script" is builtin to
> mod_fcgid, so the answer is "no".
Yeah... that seems to be the case...


> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
>     SetHandler fcgid-script
> </FilesMatch>
Seems so...


> In the latter case, I think the README.Debian file could just include
> an entry on changing the default configuration to accomodate CGI or
> FastCGI setups and the NEWS file could just redirect the user there.
Mhh... well... perhaps as a small hint; in principle this is rather the
duty of the libapache2-mod-fcgid package.


The best thing would be obviously if one could make everything work out
of the box,... but I guess that's not really possibly... as one can
imagine setups where a mixture of CGI/FCGID/mod_php/FastCGI is used.

Further I would vote against an automatically installed config snippet
which globally sets SetHandler fcgid-script, as this (AFAIU) already
enables PHP/FCGID interpretation.



Has anyone an idea whether mod_fastcgi (!= mod_fcgid) is also affected?


Cheers,
Chris.


btw:
This:
FCGIWrapper  /usr/bin/php-cgi .php
may (I haven't checked) be vulnerable to the foo.php.jpeg issue.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 18:12:20 GMT) Full text and rfc822 format available.

Acknowledgement sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 18:12:20 GMT) Full text and rfc822 format available.

Message #32 received at 687307@bugs.debian.org (full text, mbox):

From: Konstantin Khomoutov <flatworm@users.sourceforge.net>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 22:11:40 +0400
On Mon, 17 Sep 2012 18:53:50 +0200
Christoph Anton Mitterer <calestyo@scientia.net> wrote:

[...]

Sorry for skipping the rest -- will come back to it later.

> btw:
> This:
> FCGIWrapper  /usr/bin/php-cgi .php
> may (I haven't checked) be vulnerable to the foo.php.jpeg issue.

Yes, seems vulnerable: I've created a foo.php.jpeg file containing
<?php
phpinfo();
?>
and tried to request in in the browser -- I got 500 and

[Mon Sep 17 22:00:40 2012] [warn] [client 192.168.2.100] (104)
Connection reset by peer: mod_fcgid: error reading data from FastCGI
server
[Mon Sep 17 22:00:40 2012] [error] [client 192.168.2.100]
Premature end of script headers: test.php.jpeg

in the logs.

With the

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler fcgid-script
    FcgidWrapper /usr/bin/php-cgi
</FilesMatch>

snippet, all works sensibly: test.php.jpeg is sent as-is and is not
tried to be interpreted.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 18:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 18:36:03 GMT) Full text and rfc822 format available.

Message #37 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Konstantin Khomoutov <flatworm@users.sourceforge.net>
Cc: Ondřej Surý <ondrej@debian.org>, Matthias Urlichs <matthias@urlichs.de>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 20:32:32 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-09-17 at 22:11 +0400, Konstantin Khomoutov wrote:
> <FilesMatch ".+\.ph(p[345]?|t|tml)$">
>     SetHandler fcgid-script
>     FcgidWrapper /usr/bin/php-cgi
> </FilesMatch>
> 
> snippet, all works sensibly: test.php.jpeg is sent as-is and is not
> tried to be interpreted.

Yeah,... perhaps someone could report a bug against that package, to
include some teaching on how it is done right in its README.Debian.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Message #42 received at 687307@bugs.debian.org (full text, mbox):

From: Matthias Urlichs <matthias@urlichs.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 20:48:27 +0200
[Message part 1 (text/plain, inline)]
Hi,

Christoph Anton Mitterer:
> 
> 2) Ondrej, I've already planned to suggest you... to change the
> _handler_ name "application/x-httpd-php" that we now use throughout the
> packages to someting like "php-script"...
> It easily confuses people that this would be a MIME type,... while it is
> actually a handler.
> 
Ah. Thank you, that was in fcat one of the problems I struggled with.
> 
> In principle we tried to explain in the NEWS file what has happened,...
> obviously we cannot cover _any_ possible setup where this could occur
> somehow; there are simply way too much possible and complex
> configurations
> 
There are also a couple of simple configurations which get broken. They
should not be.

Conceptually, setting up a mod_fastcgi server with separate users is rather
simple:

* install mod_fastcgi (duh)
* disable php5_cgi, i.e. remove mods_enabled/php5_cgi.conf
* add a line 
  ScriptAlias /php-fastcgi/ /var/www/drupal/bin/php5-cgi/
  to the user's virtual hosts
* and (of course) create a script /var/www/drupal/bin/php5-cgi, where
  local PHP variables like individual memory limits etc. may be set before
  exec()ing /usr/lib/cgi-bin/php5 (which automagically uses fastcgi mode
  when you do all that).

Thus an upgrade to wheezy which kills that setup by undoing the second
step, i.e. re-enabling php5_cgi, is contrary to expectations, NEWS file or
no NEWS file.

In fact, this should not happen regardless of whether such re-enabling
breaks anything. It might even introduce a security hole; imagine
re-enabling mod_dirindex.  :-(

Therefore I recommend that, at minimum, an upgrade MAY NOT re-enable
an Apache module which the administrator has specifically disabled.

> Has anyone an idea whether mod_fastcgi (!= mod_fcgid) is also affected?
> 
Yes, it is. In fact, that prompted my initial bug report.

-- 
-- Matthias Urlichs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 19:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 19:30:04 GMT) Full text and rfc822 format available.

Message #47 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Matthias Urlichs <matthias@urlichs.de>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 21:28:42 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-09-17 at 20:48 +0200, Matthias Urlichs wrote:
> > 2) Ondrej, I've already planned to suggest you... to change the
> > _handler_ name "application/x-httpd-php" that we now use throughout the
> > packages to someting like "php-script"...
> > It easily confuses people that this would be a MIME type,... while it is
> > actually a handler.
> Ah. Thank you, that was in fcat one of the problems I struggled with.



> > In principle we tried to explain in the NEWS file what has happened,...
> > obviously we cannot cover _any_ possible setup where this could occur
> > somehow; there are simply way too much possible and complex
> > configurations 
> There are also a couple of simple configurations which get broken. They
> should not be.
Which?


I mean my personal goal (though beware that I'm just some idiot
considering himself being smart ;-) ... and in not a member of Debian's
PHP team) would be about the following:

- ideally all PHP SAPIs (including the different flavours of FastCGI,
that is either mod_fcgid ord mod_fastcgid), should be able to work on
the same systems (of course each interpreting differen files).

- the PHP packages should configure so much out of the box, that
everything with respect to file-extensions, handlers and that like is
there (in a secure way)... but NOT activated.

- either the user should activate PHP himself (server-wide, vhost-wide,
or per directory context)
or
the programs/packages using PHP should do so for their
default-out-of-the-box config.

- ideally, the user could then always select which SAPI is to be used

- ideally, things would default to either CGI or some FastCGId with
doing user privilege separation (i.e. not everythign running as
www-data); I put my self a lot of effort into this, to make PNP4Nagios,
Icinga-CGI, Icinga-WEB and Nagios-CGI running... all with different
users,... all with clean user based DB authentication.
It's a pain to find out how to do this, but once done, things are
actually easy and I would like to see all users benefit from this
eventually.


I'm not sure whether this is also what Ondrej and his team colleagues
have in mind, but if so, we will sooner or later anyway face the step
where existing setups might break.

PHP/Apache is mighty things and one cannot expect it to work
reasonably/securely if one has no idea on what happens.

I personally would rather vote for not all things working in a Apple™
out-of-the-box-but-perhaps-insecure style.


So what I mean in the end: We cannot take all responsibility away from
the admins, nor should we.



> Conceptually, setting up a mod_fastcgi server with separate users is rather
> simple:
Off topic: 
With either of both (mod_fastcgi/fcgid)... can you really specify users
per <Directory>-context?




> In fact, this should not happen regardless of whether such re-enabling
> breaks anything. It might even introduce a security hole; imagine
> re-enabling mod_dirindex.  :-(
AFAIU, it doesn't really enable anything... it just sets a different
handler, which may take away handling from what you've set up.


Which leads me to the question, what happens when a file is accessed
which has a handler that doesn't exist?
That may even cause security issues then...


> Therefore I recommend that, at minimum, an upgrade MAY NOT re-enable
> an Apache module which the administrator has specifically disabled.
As said above, we don't do this anyway.... there is not even a php5_cgi
_module_... this is just a trick ;)


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 20:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 20:54:05 GMT) Full text and rfc822 format available.

Message #52 received at 687307@bugs.debian.org (full text, mbox):

From: Matthias Urlichs <matthias@urlichs.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 22:50:25 +0200
[Message part 1 (text/plain, inline)]
Hi,

Christoph Anton Mitterer:
> > In fact, this should not happen regardless of whether such re-enabling
> > breaks anything. It might even introduce a security hole; imagine
> > re-enabling mod_dirindex.  :-(
> AFAIU, it doesn't really enable anything... it just sets a different
> handler, which may take away handling from what you've set up.
> 
Your understanding is incomplete.
The postinst script specifically calls a2enable.

> > Therefore I recommend that, at minimum, an upgrade MAY NOT re-enable
> > an Apache module which the administrator has specifically disabled.
> As said above, we don't do this anyway.... there is not even a php5_cgi
> _module_... this is just a trick ;)
> 
I know. But the trick backfired.

-- 
-- Matthias Urlichs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 21:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 21:33:06 GMT) Full text and rfc822 format available.

Message #57 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Matthias Urlichs <matthias@urlichs.de>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 17 Sep 2012 23:30:46 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-09-17 at 22:50 +0200, Matthias Urlichs wrote:
> > AFAIU, it doesn't really enable anything... it just sets a different
> > handler, which may take away handling from what you've set up.
> Your understanding is incomplete.
> The postinst script specifically calls a2enable.
It does,... but there is no LoadModule directive in the respective
config files; just the config snippets for the handler assignments and
some comments, as I've said before.
(We're still talking about php5-cgi's php5-cgi.conf/.load files, are
we?)


> > As said above, we don't do this anyway.... there is not even a php5_cgi
> > _module_... this is just a trick ;)
> I know. But the trick backfired.
Yeah,... well... to be honest I don't think there's an automatic "fix"
to get everything working as it was.
We should add another bunch of notes to the release files, that the
SetHandler definitions from php5-cgi's config snippets may override
other Handler definitions.

But as I said, Apache configs may be just way to complex to handle this
all out of the box; at least I don't see a way currently.

Perhaps one should also add note, that these "fake" module config files
are added and that admins are expected to have a look at it.


At least I don't see a way to take these "fake" module config files as
this would not only break sites, but also cause security issues (php
files being exposed).


Questions for those who are affected by this bug:
1) So you have both, php5-cgi AND libapache2-mod-fcgid installed, right?
2) Then what happens is, the Handler from php5_cgi.conf overrides the
way (whatever you did) to get .php files interpreted, right?
3) Obviously, .php files are then neither interpreted by "normal" CGI,
as Action directives are missing (and perhaps ScriptAlias and other
things), right?

So we definitely get broken services (which by itself may cause security
issues - but no one could really ever cannot cover these kinds of
issues).
Big problem though is, are the files then served as normal files by
Apache?


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 22:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 22:03:03 GMT) Full text and rfc822 format available.

Message #62 received at 687307@bugs.debian.org (full text, mbox):

From: Matthias Urlichs <matthias@urlichs.de>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 18 Sep 2012 00:00:17 +0200
[Message part 1 (text/plain, inline)]
Hi,

Christoph Anton Mitterer:

> 1) So you have both, php5-cgi AND libapache2-mod-fcgid installed, right?

fastcgi, but yes.

> 2) Then what happens is, the Handler from php5_cgi.conf overrides the
> way (whatever you did) to get .php files interpreted, right?

Right.

> 3) Obviously, .php files are then neither interpreted by "normal" CGI,
> as Action directives are missing (and perhaps ScriptAlias and other
> things), right?
> 
Right.

> Big problem though is, are the files then served as normal files by
> Apache?

Yes. The file gets served as-is, with a mimetype of
application/x-whatever-php.

If there's a database password / server secret in there,
$WORLD now knows it.

In an ideal world, your server cannot serve the include file
which has the actual secret sauce that's used by index.php.

Most people choose not to live in an ideal world. ;-)

-- 
-- Matthias Urlichs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 17 Sep 2012 23:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Sep 2012 23:03:06 GMT) Full text and rfc822 format available.

Message #67 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Matthias Urlichs <matthias@urlichs.de>
Cc: Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 18 Sep 2012 00:57:14 +0200
[Message part 1 (text/plain, inline)]
On Tue, 2012-09-18 at 00:00 +0200, Matthias Urlichs wrote:
> fastcgi, but yes.
Well... we have to expect both causing troubles...


> > Big problem though is, are the files then served as normal files by
> > Apache?
> Yes. The file gets served as-is, with a mimetype of
> application/x-whatever-php.
This is really strange... I mean that it gets this MIME type.
Does anyone have an explanation for this? Cause I've always thought
Apache considers handlers and MIME types to be different "classes".


> If there's a database password / server secret in there,
> $WORLD now knows it.
> In an ideal world, your server cannot serve the include file
> which has the actual secret sauce that's used by index.php.
> Most people choose not to live in an ideal world. ;-)
Of course,... the main reason why I opened the other bugs about the very
same problem, when MIME Types were dropped from mime-support.


Anyway... right now I have no real ideas how to go on, except perhaps
one...

Ondrej?


Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Tue, 18 Sep 2012 01:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 18 Sep 2012 01:51:03 GMT) Full text and rfc822 format available.

Message #72 received at 687307@bugs.debian.org (full text, mbox):

From: Konstantin Khomoutov <flatworm@users.sourceforge.net>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, Ondřej Surý <ondrej@debian.org>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 18 Sep 2012 05:47:45 +0400
On Mon, Sep 17, 2012 at 11:30:46PM +0200, Christoph Anton Mitterer wrote:

[...]
> Questions for those who are affected by this bug:
> 1) So you have both, php5-cgi AND libapache2-mod-fcgid installed, right?
Yes.

> 2) Then what happens is, the Handler from php5_cgi.conf overrides the
> way (whatever you did) to get .php files interpreted, right?
Yes, but not that straightforward: libapache2-mod-fcgid's configuration
file only installs this snippet:

<IfModule mod_fcgid.c>
  AddHandler    fcgid-script .fcgi
  FcgidConnectTimeout 20
</IfModule>

Obviously, at this point there's no conflict with php5_cgi.conf settings
yet.

So to get it interpret PHP scripts one needs to provide another
directory.  Personally, I read a couple of random HOWTOs on the topic,
and all they happened to suggest adding

<IfModule mod_fcgid.c>
  AddHandler    fcgid-script .php
  FcgidWrapperScript /usr/bin/php5-cgi .php
</IfModule>

with minor variations, so I did this.

Now the newly introduced settings from php5_cgi.conf override this
snippet (if it's placed in a file under /etc/apache2/conf.d -- dunno if
that matters or not).

And now I'm a bit lost as
1) You have clearly demonstrated the snippet like the one I used
   to enable FastCGI for PHP scripts is broken security-wise anyway
   (I dunno why -- never thought it could try to interpret .php.jpeg!);
2) Looks like changing the handler for PHP files (to fcgid-script)
   in the newly provided snippet in php5_cgi.conf is the right
   thing anyway to setup FastCGI for PHP so I don't really see a
   conflict there, it just has to be properly documented somewhere --
   in the libapache2-mod-fcgid docs supposedly, probably with
   appropriate hints in php5-common (or whatever).

> 3) Obviously, .php files are then neither interpreted by "normal" CGI,
> as Action directives are missing (and perhaps ScriptAlias and other
> things), right?
Seems to be the case.

> So we definitely get broken services (which by itself may cause security
> issues - but no one could really ever cannot cover these kinds of
> issues).
> Big problem though is, are the files then served as normal files by
> Apache?
Yes.
In my case, Apache did not set any Content-type HTTP header field for
these files when serving them (checked using the Live HTTP Headers
extensions for FireFox).

I'm not sure, but may be it's possible to not only set a handler for PHP
script files, but also provide some "null" implementation for this
handler by default?

Something like

<FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

AddHandler application/x-httpd-php null

From [1], I gather it's not really possible, but I'm not an expert in
this field.

1. http://httpd.apache.org/docs/2.2/handler.html




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Tue, 18 Sep 2012 08:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 18 Sep 2012 08:00:03 GMT) Full text and rfc822 format available.

Message #77 received at 687307@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Matthias Urlichs <matthias@urlichs.de>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 18 Sep 2012 09:56:45 +0200
On Mon, Sep 17, 2012 at 8:48 PM, Matthias Urlichs <matthias@urlichs.de> wrote:
> Thus an upgrade to wheezy which kills that setup by undoing the second
> step, i.e. re-enabling php5_cgi, is contrary to expectations, NEWS file or
> no NEWS file.

JFTR there was NO php5_cgi in squeeze, so the update does not
re-enable anything per se, but it tries to restore the functionality
lost by removed MIME-Types between squeeze and wheezy.

O.
-- 
Ondřej Surý <ondrej@sury.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Tue, 18 Sep 2012 09:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 18 Sep 2012 09:30:03 GMT) Full text and rfc822 format available.

Message #82 received at 687307@bugs.debian.org (full text, mbox):

From: Matthias Urlichs <matthias@urlichs.de>
To: Ondřej Surý <ondrej@debian.org>
Cc: Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687418@bugs.debian.org, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, pkg-php-maint@lists.alioth.debian.org
Subject: Re: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 18 Sep 2012 11:26:35 +0200
Hi,

Ondřej Surý:
> On Mon, Sep 17, 2012 at 8:48 PM, Matthias Urlichs <matthias@urlichs.de> wrote:
> > Thus an upgrade to wheezy which kills that setup by undoing the second
> > step, i.e. re-enabling php5_cgi, is contrary to expectations, NEWS file or
> > no NEWS file.
> 
> JFTR there was NO php5_cgi in squeeze, so the update does not
> re-enable anything per se, but it tries to restore the functionality
> lost by removed MIME-Types between squeeze and wheezy.
> 
That's incorrect. The a2enable is not called if the package is new, only if
it is updated. Thus, squeeze->wheezy release updates are not affected, only
people who update through unstable/testing.

>> # Enable php5_cgi if upgrading from older versions of php5-cgi
>> if [ -n "$2" ] && dpkg --compare-versions "$2" lt 5.4.4-5; then
>>     [...]a2enable[...]

This does not make sense either. IMHO running a squeeze->wheezy update once
should leave the system in exactly the same state, ultimately, as running a
daily dist-upgrade of testing. (except for the dpkg log being a bit longer. ;-)

-- 
-- Matthias Urlichs



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Sat, 06 Oct 2012 19:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 06 Oct 2012 19:54:03 GMT) Full text and rfc822 format available.

Message #87 received at 687307@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: Ondřej Surý <ondrej@debian.org>
Cc: Matthias Urlichs <matthias@urlichs.de>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Sat, 6 Oct 2012 21:51:29 +0200 (CEST)
[Message part 1 (text/plain, inline)]
Hi Ondřej,

I also cannot think of any configuration that would make everyone happy. 
At the moment, I fear this can only be solved by more documentation.

Maybe one could add such a paragraph to the NEWS entry of php5-cgi 
5.4.4-5, e.g. before "The standard configuration now also..." :

  WARNING: The new configuration may override other configuration
  directives you may have added locally for the .php extension, for
  example for FastCGI processing. This behavior is caused by <FilesMatch>
  configuration sections overriding directives appearing in global server
  or VirtualHost scope. You should review and test your configuration and
  verify that your php scripts work as expected.

The README.Debian or the wiki page you are already pointing to should then 
list likely candidates for problematic local configurations, like 
"AddHandler fcgid-script .php". Maybe it could also say, that if all else 
fails and the user is willing to live with the *.php.foo problem, the old 
behavior can be restored by replacing 
etc/apache2/mods-available/php5_cgi.conf with something like

  AddType application/x-httpd-php phtml pht php php3 php4 php5
  AddType application/x-httpd-php-source phps

to get the old behavior back. What do you think?

This sucks. In hindsight, maybe the mime.types change should have been 
deferred until we ugrade to apache 2.4 and people have to adjust their 
configs anyway. But I think it's too late now to go back. And leaving the 
*.php.foo problem there for yet another release cycle would not have been 
a good solution either.

Cheers,
Stefan

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 08 Oct 2012 13:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Oct 2012 13:42:03 GMT) Full text and rfc822 format available.

Message #92 received at 687307@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Stefan Fritsch <sf@debian.org>
Cc: Matthias Urlichs <matthias@urlichs.de>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, Charles Plessy <plessy@debian.org>
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 8 Oct 2012 15:38:10 +0200
Stephan,

thanks for the input.

Just one last question which came to my mind. Would this all be fixed
if we added non-magic type to mime-support (e.g.
http://bugs.debian.org/670945) and reverting the changes done in the
php5-cgi package?

That I think would justify change in the mime-support package. Too
much breakage on every front now.

O.

On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch <sf@debian.org> wrote:
> Hi Ondřej,
>
> I also cannot think of any configuration that would make everyone happy. At
> the moment, I fear this can only be solved by more documentation.
>
> Maybe one could add such a paragraph to the NEWS entry of php5-cgi 5.4.4-5,
> e.g. before "The standard configuration now also..." :
>
>   WARNING: The new configuration may override other configuration
>   directives you may have added locally for the .php extension, for
>   example for FastCGI processing. This behavior is caused by <FilesMatch>
>   configuration sections overriding directives appearing in global server
>   or VirtualHost scope. You should review and test your configuration and
>   verify that your php scripts work as expected.
>
> The README.Debian or the wiki page you are already pointing to should then
> list likely candidates for problematic local configurations, like
> "AddHandler fcgid-script .php". Maybe it could also say, that if all else
> fails and the user is willing to live with the *.php.foo problem, the old
> behavior can be restored by replacing
> etc/apache2/mods-available/php5_cgi.conf with something like
>
>   AddType application/x-httpd-php phtml pht php php3 php4 php5
>   AddType application/x-httpd-php-source phps
>
> to get the old behavior back. What do you think?
>
> This sucks. In hindsight, maybe the mime.types change should have been
> deferred until we ugrade to apache 2.4 and people have to adjust their
> configs anyway. But I think it's too late now to go back. And leaving the
> *.php.foo problem there for yet another release cycle would not have been a
> good solution either.
>
> Cheers,
> Stefan



-- 
Ondřej Surý <ondrej@sury.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 08 Oct 2012 14:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Urlichs <matthias@urlichs.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Oct 2012 14:15:05 GMT) Full text and rfc822 format available.

Message #97 received at 687307@bugs.debian.org (full text, mbox):

From: Matthias Urlichs <matthias@urlichs.de>
To: Ondřej Surý <ondrej@debian.org>
Cc: Stefan Fritsch <sf@debian.org>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, Charles Plessy <plessy@debian.org>
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 8 Oct 2012 16:12:24 +0200
[Message part 1 (text/plain, inline)]
Hi,

Ondřej Surý:
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
> 
IMHO that would be a good idea. (Subject to testing …)
-- 
-- Matthias Urlichs
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions php5/5.4.4-7. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Mon, 08 Oct 2012 14:42:05 GMT) Full text and rfc822 format available.

Merged 687307 687418 689440 Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Mon, 08 Oct 2012 14:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 08 Oct 2012 19:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Oct 2012 19:54:03 GMT) Full text and rfc822 format available.

Message #106 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Ondřej Surý <ondrej@debian.org>
Cc: Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, Charles Plessy <plessy@debian.org>
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 08 Oct 2012 21:51:04 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
I'm a bit unsure how/why that would fix the general problem?
Perhaps you can elaborate a bit more on what your ideas are :)

I haven't looked into absolute details but I think the main problem here
is, that different SAPIs use different fixed handler-names.
And even if all would use the same,... we'd have a problem, namely how
to select the right one.


> That I think would justify change in the mime-support package. Too
> much breakage on every front now.
Well... I think it's quite dangerous to again play around at
mime-support.
I mean we all know the problems arising from there,... not only the
security issues like foo.php.jpeg, but also that we are again quite
dependant on some other package.



Admittedly, we're in quite a shitty situation now, so close to wheezy,
but I somewhat agree to Stefan, in better just adding some more release
notes.

The next step would/could be to think about post-wheezy release goals
for the overall PHP framwork in Debian.
Which includes IMHO:
- unifying as much (apache) configs as possible for the different SAPIs

- other packages (i.e. packaged PHP programs) should not rely on PHP
being activated by the php packages (especially not globally), but
should rather give the user a debconf option on where (which webserver)
to activated it how (always only "local" scope,... and questioning which
SAPI)

- make the different SAPIs co-exist more "out-of-the-box"...which i.e.
also addresses this very bug....
The ideal state would be that one can enable all SAPIs in one Apache
instance and even use them in the same vhost... differentiating per
<Directory> (well at least as far as this is possible for all the
SAPIs).
Maybe this requires that we patch things like mod_f(ast)cgid ... to use
other handler names.
I have not yet an idea how all this could be achieved.




But back to this very bug:
If we say we "solve" this for now, by just adding release notes as
Stefan proposed... then there is still one important thing left.
Namely those I asked in the mails from:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687418#59
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687418#69

May we run into the problem, that again, files are accidentally served
(as files)?


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 08 Oct 2012 20:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Oct 2012 20:45:03 GMT) Full text and rfc822 format available.

Message #111 received at 687307@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, Charles Plessy <plessy@debian.org>
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 8 Oct 2012 22:42:02 +0200
On Mon, Oct 8, 2012 at 9:51 PM, Christoph Anton Mitterer
<calestyo@scientia.net> wrote:
> On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
>> Just one last question which came to my mind. Would this all be fixed
>> if we added non-magic type to mime-support (e.g.
>> http://bugs.debian.org/670945) and reverting the changes done in the
>> php5-cgi package?
> I'm a bit unsure how/why that would fix the general problem?
> Perhaps you can elaborate a bit more on what your ideas are :)

Basically it would bring the old behaviour back while not mangling
with custom Set/AddHandler directives in the apache. Remember the
php5_cgi.{load,conf} hack was introduced after decision to fix this
only in Apache - which in turn caused more breakage in custom setups
then expected.

Stefan, what do you think?

[...snip some unrelated future ideas...]

O.
-- 
Ondřej Surý <ondrej@sury.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 08 Oct 2012 21:30:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 08 Oct 2012 21:30:10 GMT) Full text and rfc822 format available.

Message #116 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Ondřej Surý <ondrej@debian.org>
Cc: Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, Charles Plessy <plessy@debian.org>
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Mon, 08 Oct 2012 23:26:39 +0200
[Message part 1 (text/plain, inline)]
On Mon, 2012-10-08 at 22:42 +0200, Ondřej Surý wrote:
> Basically it would bring the old behaviour back while not mangling
> with custom Set/AddHandler directives in the apache. Remember the
> php5_cgi.{load,conf} hack was introduced after decision to fix this
> only in Apache - which in turn caused more breakage in custom setups
> then expected.
Ah... so you mean adding e.g. application/x-php (or whatever) but don't
use this with mod_php or normal CGI (where we'd still keep the
php5_cgi.{load,conf} then?)


Not sure about that...
I mean these types were removed for good reasons... and especially in
Apache people should at best stop using /etc/mime.types at all.
I somehow fear a bit,... that we might just end up with other new
(security?) issues being added.


Putting parts of PHP "configuration" (well I know it's not really that)
in other packages seems problematic to me.... IMHO the cleanest solution
would be, if PHP-packages add the necessary basic configuration to
installed webservers (ideally not only to Apache)... without activating
PHP.
The later then being done manually by the admin, or (more or less)
automagically by other packages.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Thu, 11 Oct 2012 00:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 11 Oct 2012 00:09:05 GMT) Full text and rfc822 format available.

Message #121 received at 687307@bugs.debian.org (full text, mbox):

From: Charles Plessy <plessy@debian.org>
To: Ondřej Surý <ondrej@debian.org>
Cc: Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, mime-support@packages.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Thu, 11 Oct 2012 09:06:48 +0900
> On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch <sf@debian.org> wrote:
> >
> > This sucks. In hindsight, maybe the mime.types change should have been
> > deferred until we ugrade to apache 2.4 and people have to adjust their
> > configs anyway. But I think it's too late now to go back. And leaving the
> > *.php.foo problem there for yet another release cycle would not have been a
> > good solution either.

Le Mon, Oct 08, 2012 at 03:38:10PM +0200, Ondřej Surý a écrit :
> 
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
> 
> That I think would justify change in the mime-support package. Too
> much breakage on every front now.

Hello Ondřej, Stefan, and everybody,

Do you think that there is a way to fix #589384 (the *.php.foo problem)
without removing the application/x-httpd-* media types ?

I did not realise before that in the current release cycle, Apache stays at
version 2.2 and that in Jessie, configurations will need to be re-adjusted
anyway.  I think that it is a good argument for a compromise, provided that
#589384 stays solved and that we agree that in Jessie the media types
application/x-httpd-* will be removed from /etc/mime.types.

Of course, it is even better if there is an easy way to adjust the priority of
the SetHandler statement of php5_cgi.conf in a way that does not break FastCGI
configurations. 

What do you think ?

Have a nice day,
 
-- 
Charles Plessy
Tsurumi, Kanagawa, Japan



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Thu, 11 Oct 2012 08:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 11 Oct 2012 08:57:03 GMT) Full text and rfc822 format available.

Message #126 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Charles Plessy <plessy@debian.org>
Cc: Ondřej Surý <ondrej@debian.org>, Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, mime-support@packages.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Thu, 11 Oct 2012 03:14:01 +0200
[Message part 1 (text/plain, inline)]
Hi Charles.


On Thu, 2012-10-11 at 09:06 +0900, Charles Plessy wrote:
> Do you think that there is a way to fix #589384 (the *.php.foo problem)
> without removing the application/x-httpd-* media types ?
I would say no, well at least not if we also want to use these media
types later on in Apache to select something for interpretation.

The problem with using /etc/mime.types via the TypesConfig directive in
Apache is the usual with Apache:
Most mod_mime directives (and maybe also others) will assign a media
type if just any extension (i.e. also the foo in file.foo.bar) matches.

The usual way around this is to place these directives in e.g.
<Files ?*.bar>
</Files>
or
<FilesMatch ^.+\.bar$>
</FilesMatch>

TypesConfig however is a server wide scope directive, so this won't work
here.


As I mentioned previously, I think it's very dangerous to use
TypesConfig per default. It's evil by design and people should need to
intentionally enable it (and then hopefully know what they're doing).



I really think we should not fiddle around with mime-types anymore, or
better: I think we should stop using it to "enable files for
interpretation", even if that may break now some setups. Of course we
should provide release notes hints on how to make them work again, which
is usually quite easy.

Also, please consider that people using "advanced" stuff like FastCGI
can be expected to know what they're doing.


> I did not realise before that in the current release cycle, Apache stays at
> version 2.2 and that in Jessie, configurations will need to be re-adjusted
> anyway.
It would of course be nice, if we could postpone this to jessie, but...

> I think that it is a good argument for a compromise, provided that
> #589384 stays solved and that we agree that in Jessie the media types
> application/x-httpd-* will be removed from /etc/mime.types.
Right now I see no way to prevent the evil.php.jpeg issue otherwise.
And note especially, that also FastCGI is in principle vulnerable to
this. Though I haven't checked right now, how they actually select the
PHP files for interpretation (which may or may not prevent the issue).


> easy way to adjust the priority of
> the SetHandler statement of php5_cgi.conf
I think it's determined by the loading order... which makes it basically
impossible IMHO to really make sure it gets loaded as we want it to.

>  in a way that does not break FastCGI
> configurations.
Even then we need to check whether fastcgi or fcgid are vulnerable to
the evil.php.jpeg isseu.



Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Thu, 11 Oct 2012 11:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 11 Oct 2012 11:15:04 GMT) Full text and rfc822 format available.

Message #131 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Charles Plessy <plessy@debian.org>
Cc: Ondřej Surý <ondrej@debian.org>, Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org, mime-support@packages.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Thu, 11 Oct 2012 03:18:22 +0200
[Message part 1 (text/plain, inline)]
Oh and one more thing (even though this is PHP unrelated):

Maybe I misunderstand something but it seems both:

libapache2-mod-fcgid, which uses:
<IfModule mod_fcgid.c>
  AddHandler	fcgid-script .fcgi
  FcgidConnectTimeout 20
</IfModule>

and
libapache2-mod-fastcgi, which uses:
<IfModule mod_fastcgi.c>
  AddHandler fastcgi-script .fcgi
  #FastCgiWrapper /usr/lib/apache2/suexec
  FastCgiIpcDir /var/lib/apache2/fastcgi
</IfModule>


are highly vulnerable to the evil.fcgi.jpeg issue...


Can you confirm this? Cause then we need to open some critical bugs.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Mon, 15 Oct 2012 22:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 15 Oct 2012 22:18:08 GMT) Full text and rfc822 format available.

Message #136 received at 687307@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: Charles Plessy <plessy@debian.org>
Cc: debian-apache@lists.debian.org, Ondřej Surý <ondrej@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, mime-support@packages.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 16 Oct 2012 00:16:04 +0200
On Thursday 11 October 2012, Charles Plessy wrote:
> Le Mon, Oct 08, 2012 at 03:38:10PM +0200, Ondřej Surý a écrit :
> > Just one last question which came to my mind. Would this all be
> > fixed if we added non-magic type to mime-support (e.g.
> > http://bugs.debian.org/670945) and reverting the changes done in
> > the php5-cgi package?
> > 
> > That I think would justify change in the mime-support package.
> > Too much breakage on every front now.

And remove the php-cgi.conf completely, right? So this would introduce 
a different fix for the multi-views problem. Are you sure that there 
is no other problem that we would re-introduce? Maybe it's worth a 
try.

> Hello Ondřej, Stefan, and everybody,
> 
> Do you think that there is a way to fix #589384 (the *.php.foo
> problem) without removing the application/x-httpd-* media types ?

There is at least no solution that is obviously right. I fear that 
regardless what we do, we will break some configs.

Besides removing the media types from /etc/mime.types, one could add a 
"RemoveType php ..." to the apache config (but where?). Or maybe, one 
could also set "AddHandler default-handler php ...". The latter is an 
idea I just had, I have not thought it through or tested it.

> I did not realise before that in the current release cycle, Apache
> stays at version 2.2 and that in Jessie, configurations will need
> to be re-adjusted anyway.  I think that it is a good argument for
> a compromise, provided that #589384 stays solved and that we agree
> that in Jessie the media types application/x-httpd-* will be
> removed from /etc/mime.types.
> 
> Of course, it is even better if there is an easy way to adjust the
> priority of the SetHandler statement of php5_cgi.conf in a way
> that does not break FastCGI configurations.

I think there are rather too many possibilities and the pros/cons of 
each one get lost in this thread. (Well, that is partially my fault 
because I take so long to respond, but I have been busy :-( )

Maybe it would be better to create a single document with all possible 
solutions and pro and cons? I have started to create such an overview 
at http://wiki.debian.org/Apache/WheezyMimeTypes but it is not 
finished yet. Feel free to add more infos/solutions/pros/cons. The 
page may come in handy for the Jessie, too.

Christoph: For mod-fastcgi/mod-fcgid, the file.fcgi.foo problem is 
somewhat mitigated that they require "Options ExecCGI", too. And 
AFAICS that is not set by default. Any opinions if this is "good 
enough" for wheezy? I lean towards yes, but maybe I am missing 
something.

Besides, it would be interesting to check how mod_action behaves... 

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Tue, 16 Oct 2012 01:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 16 Oct 2012 01:48:03 GMT) Full text and rfc822 format available.

Message #141 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Stefan Fritsch <sf@debian.org>
Cc: Charles Plessy <plessy@debian.org>, debian-apache@lists.debian.org, Ondřej Surý <ondrej@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, mime-support@packages.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Tue, 16 Oct 2012 03:45:06 +0200
[Message part 1 (text/plain, inline)]
Hey folks.

On Tue, 2012-10-16 at 00:16 +0200, Stefan Fritsch wrote:
> And remove the php-cgi.conf completely, right? So this would introduce 
> a different fix for the multi-views problem. Are you sure that there 
> is no other problem that we would re-introduce? Maybe it's worth a 
> try.


> There is at least no solution that is obviously right. I fear that 
> regardless what we do, we will break some configs.
I'd say we should "sit" together after wheezy however,... searching for
some best-as-possible-overall-framework ;)


> Besides removing the media types from /etc/mime.types, one could add a 
> "RemoveType php ..." to the apache config (but where?).
I proposed that previously to Ondřej but only as a poor-man's
guarantee... I wouldn't want to see that we really rely on it,... cause
it may easily break...
One never knows what upstream changes... e.g. at some day there might be
a change in the order of evaluation from RemoveType and TypesConfig...
or evil things like that...


> Or maybe, one 
> could also set "AddHandler default-handler php ...". The latter is an 
> idea I just had, I have not thought it through or tested it.
Sounds like it could work,... and actually a nice idea ;) ... but it
seems somewhat ugly to me... you know adding handlers and assigning
stuff just for hackings something into...
We cannot know how much something like this breaks... just imagine if a
user has already his own "default-handler" defined.



> Maybe it would be better to create a single document with all possible 
> solutions and pro and cons? I have started to create such an overview 
> at http://wiki.debian.org/Apache/WheezyMimeTypes but it is not 
> finished yet. Feel free to add more infos/solutions/pros/cons. The 
> page may come in handy for the Jessie, too.
Good idea... I hope I'll find some time into looking at it...

But in general... I'm a bit scared that we clash into the release of
wheezy with neither a perfect nor an at-least-somewhat-secure solution.
So question the the group is:
Should we continue with investigating in a perfect solution (and that
wiki seems to somewhat go into that direction)... or should we simply
admit there's a shitty situation for wheezy... add the necessary release
notes with big fat exclamation marks... and shame ourselves till we come
up with the uber-solution in jessie?
;-)


> Christoph: For mod-fastcgi/mod-fcgid, the file.fcgi.foo problem is 
> somewhat mitigated that they require "Options ExecCGI", too. And 
> AFAICS that is not set by default. Any opinions if this is "good 
> enough" for wheezy? I lean towards yes, but maybe I am missing 
> something.
Well... phew... I mean don't get me wrong... nearly all what we do here
is about teaching users and/or helping them not to shoot themselves...
so in theory you're right and this is enough... on the other hand:
Practise looks like this that users often have merely an idea what they
do... and I'd feel better, if both mods also place some <Files> block
around.

Actually,... I'd even feel better if they stop automatically enabling
things.
And this is not my usual security-paranoid
installed-packages-shouldn't-enable-their-stuff-automatically talking...
it's rather that in this special cases (namely Apache)... they enable
things globally for the whole server... which is (to my experience)
rarely needed.
We could help users from potential security troubles,... if we "force"
them to decide in which context they want to enable things.


But how to proceed now?
In general, if we "secure" these two mods from the evil.fcgi.jpeg issue,
we have the same problem as with PHP (there Ondřej added a according
entry to NEWS and README.Debian) namely that we potentially break some
setups (those from such devilish admins coming straight from hell and
used http content negotiation in some way with their interpreted stuff.
I personally think it's definitely worth!

Then we have the options:
a) Either just secure it with <Files> blocks around the diretives that
add the handlers...
b) or disable global per-default activation but still document in each
of the two packages how to do it right.

I'd vote for (b).
Depending on what you guys from the Apache Maintainer group say... I'd
open respective bugs, and help Tatsuik and Taku with documentation and
stuff...



Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Fri, 26 Oct 2012 11:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 26 Oct 2012 11:21:03 GMT) Full text and rfc822 format available.

Message #146 received at 687307@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Stefan Fritsch <sf@debian.org>
Cc: Matthias Urlichs <matthias@urlichs.de>, Christoph Anton Mitterer <calestyo@scientia.net>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Fri, 26 Oct 2012 13:18:45 +0200
On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch <sf@debian.org> wrote:
> Hi Ondřej,
>
> I also cannot think of any configuration that would make everyone happy. At
> the moment, I fear this can only be solved by more documentation.
>
> Maybe one could add such a paragraph to the NEWS entry of php5-cgi 5.4.4-5,
> e.g. before "The standard configuration now also..." :
>
>   WARNING: The new configuration may override other configuration
>   directives you may have added locally for the .php extension, for
>   example for FastCGI processing. This behavior is caused by <FilesMatch>
>   configuration sections overriding directives appearing in global server
>   or VirtualHost scope. You should review and test your configuration and
>   verify that your php scripts work as expected.

In the end I have used slightly different text with a warning to check
the existing setup foo.php.jpeg vulnerability. Improvements welcome
(as a patch, not as a rant).

+ The new (dummy) php5_cgi configuration uses SetHandler directive and
+ thus it might interfere with your existing custom configuration like
+ FastCGI (mod_fcgid or mod_fastcgi).  In that case please disable
+ php5_cgi module (a2dismod php5_cgi) to reenable the existing
+ functionality of your custom configuration.  It is also advised that
+ you check your custom configuration whether it's not vulnerable to
+ foo.php.jpeg attacks.  The php5_cgi configuration snippet can be used
+ as base - it's important to use FilesMatch or Files directive to
+ limit the handling to the last extension.

I think it became clear that we are stuck with no solution which would
work for anyone, so this is the minimal variant of what we should do
in PHP package.  If somebody comes with better solution (or just tests
the non-magic mime-types as written down by sf in
http://wiki.debian.org/Apache/WheezyMimeTypes), I think we can still
change that before release. But now we at least need more test in
php5-cgi.NEWS.

O.
-- 
Ondřej Surý <ondrej@sury.org>



Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Fri, 26 Oct 2012 12:51:09 GMT) Full text and rfc822 format available.

Notification sent to Dmitry Kolesnikov <kastaneda@gmail.com>:
Bug acknowledged by developer. (Fri, 26 Oct 2012 12:51:09 GMT) Full text and rfc822 format available.

Message #151 received at 687307-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 687307-close@bugs.debian.org
Subject: Bug#687307: fixed in php5 5.4.8-1
Date: Fri, 26 Oct 2012 12:48:30 +0000
Source: php5
Source-Version: 5.4.8-1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Oct 2012 16:05:34 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.4.8-1
Distribution: experimental
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-mysqlnd - MySQL module for php5 (Native Driver)
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 683415 687307
Changes: 
 php5 (5.4.8-1) experimental; urgency=low
 .
   * Imported Upstream version 5.4.8
     + Update patches for new release
   * Remove IfModule to always interpret PHP if the module is enabled
   * Fix extended DES crypt when salt != 9
   * Fix libphp5-embed linking:
     + Expose all installed (and not built time) SAPIs via php-config --php-sapis
     + Add /usr/lib/php5 to php-config --ldflags output to allow linking with libphp5.so
   * Add new lintian-overrides for libphp5-embed
   * Add logrotate script for php5-fpm (Closes: #683415)
   * Add more warning text about new php5_cgi apache2 module (Closes: #687307)
   * Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4
Checksums-Sha1: 
 3b639e3a7cb0229689ff4f75bf1d2a3476a7d73f 3471 php5_5.4.8-1.dsc
 45512ad465eb8a13710ceb937b60f02cfa9908c8 15317282 php5_5.4.8-1.tar.gz
 83916c05fac0be290d4d9bfe0bc3a8b39a1068e2 592354 php5-common_5.4.8-1_amd64.deb
 11010bf38b7fa09e6e69dfa8bc3ef33c0c1ca9a8 2672094 libapache2-mod-php5_5.4.8-1_amd64.deb
 d981563c53a9f622a23f7a0e8c22db7d0ade685e 2670558 libapache2-mod-php5filter_5.4.8-1_amd64.deb
 ad34a46062df43ce39e277503047b8b1ea11d4a0 5111060 php5-cgi_5.4.8-1_amd64.deb
 94a475393b2e669b2cb39e3dc0ecb504b09c680d 2561744 php5-cli_5.4.8-1_amd64.deb
 895bdecf232191e9933bf65ea6229ae07baa4eda 2595690 php5-fpm_5.4.8-1_amd64.deb
 e99224da8d200189f0ad190e3898874dcfffb589 2669646 libphp5-embed_5.4.8-1_amd64.deb
 8a36c1fe5ba31412c082d9be3d0cc583a16d5adb 498386 php5-dev_5.4.8-1_amd64.deb
 b139250758711d05c01673964b541e94cfe9dbb4 16001790 php5-dbg_5.4.8-1_amd64.deb
 7673fbc3ec002ed993da4b0a68cf5809b798dd07 29180 php5-curl_5.4.8-1_amd64.deb
 e0f0e92a94954353c7f2ebcec9549da6075070c0 9928 php5-enchant_5.4.8-1_amd64.deb
 fa2ae77611b7a7fcaa8dc05ca89220537284b8ac 35692 php5-gd_5.4.8-1_amd64.deb
 a5ce37e8f01e4e567eac552ca265cdf6d3cb2f7b 17148 php5-gmp_5.4.8-1_amd64.deb
 e17c0c9bb4d24e443eb3348aa4e39a515a6f3522 35588 php5-imap_5.4.8-1_amd64.deb
 2898576d8cb7a50e023effd9ac3ef2750bf72b0c 49592 php5-interbase_5.4.8-1_amd64.deb
 5816237d03727bde65bf6e0c9e88d3c5d3ff96dd 72716 php5-intl_5.4.8-1_amd64.deb
 c918ca51e1176f90635633b5ef600f1ccad2c97e 21750 php5-ldap_5.4.8-1_amd64.deb
 53b3fc84b7fe00346a9e0a27ef1705d21f229294 16066 php5-mcrypt_5.4.8-1_amd64.deb
 d244e8c8d1e24056d41bb0f460eeb46ecc681f43 80848 php5-mysql_5.4.8-1_amd64.deb
 54f779a739e26dbee3db4b8f0ac6f689ec1c1e0a 163540 php5-mysqlnd_5.4.8-1_amd64.deb
 d5a7794704db743781d1da416c38c62c5aafa5cc 36660 php5-odbc_5.4.8-1_amd64.deb
 8476fcff565750d53c5657ca78c577e248e0e9af 61426 php5-pgsql_5.4.8-1_amd64.deb
 972fbe777f04d5133d9962f4c4f7536b677e8dd8 8888 php5-pspell_5.4.8-1_amd64.deb
 e34e569f16a5dfbaa09968f25231386581dd61a8 5184 php5-recode_5.4.8-1_amd64.deb
 731a295576ee505cbcb1dd446678a7db543a229f 21798 php5-snmp_5.4.8-1_amd64.deb
 4402560ac127f86dc38a91c0380514b1642285bd 30428 php5-sqlite_5.4.8-1_amd64.deb
 b0110311e1c6e2a956e1ba95d4c82a1f8846db04 28168 php5-sybase_5.4.8-1_amd64.deb
 1960d5bd66f0956ea9cb499ae56647d51ec6e9f1 19584 php5-tidy_5.4.8-1_amd64.deb
 719a9d80e1930fd81470f08f99478ae7b54cb09b 36278 php5-xmlrpc_5.4.8-1_amd64.deb
 c0f399f86ed72fa88dc4e41925ea21167c167f46 15400 php5-xsl_5.4.8-1_amd64.deb
 0ac3dbfc97a90dfa597e048272b018882c424779 1022 php5_5.4.8-1_all.deb
 af1b81517cf2b364a108dafb712ac719efbf32d2 367374 php-pear_5.4.8-1_all.deb
Checksums-Sha256: 
 9d5c699d8ab6c9837981e7f3fda845e7f73038b63fd7a8d4e2185025f5050ea3 3471 php5_5.4.8-1.dsc
 927f55d6d785033bb73da6938266dbd123ba3b8342e1e913003eeb8642f43e7a 15317282 php5_5.4.8-1.tar.gz
 ee3d40c687ab75ac1694e535b7148edbfca18b26f1b790e1fb4718d87657424b 592354 php5-common_5.4.8-1_amd64.deb
 00493992645be20f0559ea82e7313083c299140c01b09b8b5b7c62135613b28d 2672094 libapache2-mod-php5_5.4.8-1_amd64.deb
 055f377b129e68ad4ea1ddc96d41520d4752f403aa76bd8d10190052566f3187 2670558 libapache2-mod-php5filter_5.4.8-1_amd64.deb
 a661fca422c94665c2ad68da6eef3cd3f616caf52d2e6b6c0ebc5b094686f170 5111060 php5-cgi_5.4.8-1_amd64.deb
 a050870c1cc8707528d2d78fc538c3b4745bd65c7ac94942f115ba2a2fd7293e 2561744 php5-cli_5.4.8-1_amd64.deb
 2f5abca50e4f9b47900d08e57d9fe7541b3c573cd451ab3e3eefe4f0788378a4 2595690 php5-fpm_5.4.8-1_amd64.deb
 00fa2ce86f3958c0137f8eabb0971bc6bc8ae33c1b1dae74c309b542de43abfc 2669646 libphp5-embed_5.4.8-1_amd64.deb
 c9f26f68e5c42885558a072b56bc8ffd4b6261f6a919a587d53ddb8c3a0b5bb7 498386 php5-dev_5.4.8-1_amd64.deb
 850266d8f851fffbc28a8b8fab937b0f7f64d836fe0e4bc0029fb03c51487a38 16001790 php5-dbg_5.4.8-1_amd64.deb
 fb3ccaa18330ee29a85bd1331ba3552d4aa24b2a0ff71b91dcbaa82028ff5119 29180 php5-curl_5.4.8-1_amd64.deb
 bb12b096bc73096c2dc96a23c185811e221510096801cfc515e90d008484003b 9928 php5-enchant_5.4.8-1_amd64.deb
 9655b44ef9117ae23e5c18079ba9819e9367824f7fbde1219a2a289648c4dd51 35692 php5-gd_5.4.8-1_amd64.deb
 8b2c083ce19c4784bc5f9ef39b33939bd574ac7d336351614d24022637ece282 17148 php5-gmp_5.4.8-1_amd64.deb
 b316f66b7599752ad490eb90bc5af2fad7f62d4282b50ee76bad4377b3bcf2c0 35588 php5-imap_5.4.8-1_amd64.deb
 14188551b2cde7c90adb467198f30c30b8d2eb886796d671fc5994d2a8056491 49592 php5-interbase_5.4.8-1_amd64.deb
 a044a650af59db2020926c1d7881e725be627742067719f8eabb4f9e1eeb2e7f 72716 php5-intl_5.4.8-1_amd64.deb
 4d9d8e6f240fae6cb4dc087e42561dd581e46f5d44e05a5d7e18d0af41d262eb 21750 php5-ldap_5.4.8-1_amd64.deb
 49b07d5ea895a49d1da7b9ecfcab6bec69897f9982561c00089a1a2e13face7f 16066 php5-mcrypt_5.4.8-1_amd64.deb
 d212df67c9ceea52b30f0daffdcf75b470384d3620d1dc696499c837284415bf 80848 php5-mysql_5.4.8-1_amd64.deb
 5cf933e765a58814fa3267e7cb20d02c0683e62a94a27560dd36ae0e961d2b7d 163540 php5-mysqlnd_5.4.8-1_amd64.deb
 46fdace02f18b67f916236d1198e4b748e423c1c4b394cc32aa1f4a29f522d5e 36660 php5-odbc_5.4.8-1_amd64.deb
 ada9426bbc6ff037ddf3ed12876a56954daeeec3cdcc8838c9720d8da04be090 61426 php5-pgsql_5.4.8-1_amd64.deb
 efe7fd3ffbf05667812d722dfeb0a2abaf9f670bd1bee3091aa309deeb66bb35 8888 php5-pspell_5.4.8-1_amd64.deb
 dd9d35ee7c19dd0cc17bece09cdbd1b4d5ad3c083f18c098f20db610b838812b 5184 php5-recode_5.4.8-1_amd64.deb
 76d508f9e63eebab01c0f719c9e758fc2eae24884cc93f5afa015e7efe187db3 21798 php5-snmp_5.4.8-1_amd64.deb
 9971b36867376bfe852d3d520ec59120b6311e6db80a26d005839b3113f15042 30428 php5-sqlite_5.4.8-1_amd64.deb
 b49f07469247387368365dfb86f45f84f5d57fc8527e8d4dff8e5fdb3697fcc2 28168 php5-sybase_5.4.8-1_amd64.deb
 40ffe31cdf3dce39904717189323b1a64e6d39ef3c7508058f70b9ef58c29dfd 19584 php5-tidy_5.4.8-1_amd64.deb
 5a0fcf146dd3a2cc4715b51319ff95179c0839233d49f9a0cf5d368f513cce06 36278 php5-xmlrpc_5.4.8-1_amd64.deb
 21c95327741646b950f0f7b9d5d845fa212303a60d949ff4f8d9efa08f2eeb02 15400 php5-xsl_5.4.8-1_amd64.deb
 809c410825fc87193f2919116e37731cb6b56943decd46cec8e6b8f0a35aea7d 1022 php5_5.4.8-1_all.deb
 efdf854c9ee3c6beec5ce9c8c22f7f5c042ea08256e32384d6a37c6af7af544f 367374 php-pear_5.4.8-1_all.deb
Files: 
 96a712f04d4939dd3f5604e54caffd4d 3471 php optional php5_5.4.8-1.dsc
 dbca20b25b9a0c98c95bc896c3f0a796 15317282 php optional php5_5.4.8-1.tar.gz
 c78a76216fe0c469b36f5e31c1a811a2 592354 php optional php5-common_5.4.8-1_amd64.deb
 5bc4c837eb42b56a51fc3e34116ba935 2672094 httpd optional libapache2-mod-php5_5.4.8-1_amd64.deb
 078adc572070111300bf463eeeffb3e4 2670558 httpd extra libapache2-mod-php5filter_5.4.8-1_amd64.deb
 eaea455b982f15994f0c00df171d5d00 5111060 php optional php5-cgi_5.4.8-1_amd64.deb
 da9c718e461fc070a88a09f2cb3b9bd8 2561744 php optional php5-cli_5.4.8-1_amd64.deb
 3dba7552e4c762a734ed49fd023bab18 2595690 php optional php5-fpm_5.4.8-1_amd64.deb
 ef840bcbca08f1998da58428fb6d5255 2669646 php optional libphp5-embed_5.4.8-1_amd64.deb
 0264f7c045998f3687546750c455cc73 498386 php optional php5-dev_5.4.8-1_amd64.deb
 5b599f79aa25871acfb2b212113bb9ad 16001790 debug extra php5-dbg_5.4.8-1_amd64.deb
 5e4229ea7541c0db08187e82045a4362 29180 php optional php5-curl_5.4.8-1_amd64.deb
 95143636293f5f74200aa47bfc75a7d4 9928 php optional php5-enchant_5.4.8-1_amd64.deb
 7556d9562df0fdb55d1514be2858db2d 35692 php optional php5-gd_5.4.8-1_amd64.deb
 1efcd06f33cdec1e22472c5bbd02fcc8 17148 php optional php5-gmp_5.4.8-1_amd64.deb
 af274ab91bfdf14b22adb4e5d58144c0 35588 php optional php5-imap_5.4.8-1_amd64.deb
 27c9215affa0e247b730982cc2534cc5 49592 php optional php5-interbase_5.4.8-1_amd64.deb
 8bc1d0ac6fccb52f48ae7bbd7982a9df 72716 php optional php5-intl_5.4.8-1_amd64.deb
 6723e9c3f4730a846e6a90381d833038 21750 php optional php5-ldap_5.4.8-1_amd64.deb
 a404babe92287f2d407fbae300834baa 16066 php optional php5-mcrypt_5.4.8-1_amd64.deb
 e85af69a1f0175d94b34eff348f966a8 80848 php optional php5-mysql_5.4.8-1_amd64.deb
 8627a7224facb474ee063b416625a76e 163540 php extra php5-mysqlnd_5.4.8-1_amd64.deb
 c7188c22e61ca0be5b8fa5af6ad7ba00 36660 php optional php5-odbc_5.4.8-1_amd64.deb
 90139126dc9ddd9a9243e8251444a83a 61426 php optional php5-pgsql_5.4.8-1_amd64.deb
 d6921ae249fd79eb1f6528aa251f0b93 8888 php optional php5-pspell_5.4.8-1_amd64.deb
 332e0196ce49c514eb9444910d5b6515 5184 php optional php5-recode_5.4.8-1_amd64.deb
 b816b025e295d0e1d0523767c9dc5110 21798 php optional php5-snmp_5.4.8-1_amd64.deb
 e7031fe171ceb1321b5ad7eaca27b94a 30428 php optional php5-sqlite_5.4.8-1_amd64.deb
 c071b536e66bb5312861835366c465b7 28168 php optional php5-sybase_5.4.8-1_amd64.deb
 448fd1b1227314cb863ad9b17d01ca1f 19584 php optional php5-tidy_5.4.8-1_amd64.deb
 f19f4e4260e6cca4ca969713c629c0c3 36278 php optional php5-xmlrpc_5.4.8-1_amd64.deb
 d87a065e73a0fb84063d7960cb19a75e 15400 php optional php5-xsl_5.4.8-1_amd64.deb
 374497ed47dbc13c8f8b78b965e5f40b 1022 php optional php5_5.4.8-1_all.deb
 e944af6800bc713e57908a0f06b5634b 367374 php optional php-pear_5.4.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlCKgp4ACgkQ9OZqfMIN8nOmSACfWGeJUAchj5vor+c9YuqTBJ3Z
lRcAnRX84e7cwxFlffe5xn8DgeFpMyiP
=CBax
-----END PGP SIGNATURE-----




Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Fri, 26 Oct 2012 12:51:10 GMT) Full text and rfc822 format available.

Notification sent to Matthias Urlichs <matthias@urlichs.de>:
Bug acknowledged by developer. (Fri, 26 Oct 2012 12:51:10 GMT) Full text and rfc822 format available.

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Fri, 26 Oct 2012 12:51:10 GMT) Full text and rfc822 format available.

Notification sent to Christoph Kling <christoph@kling.org>:
Bug acknowledged by developer. (Fri, 26 Oct 2012 12:51:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#687307; Package php5-cgi. (Sun, 28 Oct 2012 22:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 28 Oct 2012 22:24:03 GMT) Full text and rfc822 format available.

Message #164 received at 687307@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Ondřej Surý <ondrej@debian.org>
Cc: Stefan Fritsch <sf@debian.org>, Matthias Urlichs <matthias@urlichs.de>, Konstantin Khomoutov <flatworm@users.sourceforge.net>, 687307@bugs.debian.org, Dmitry Kolesnikov <kastaneda@gmail.com>, debian-apache@lists.debian.org
Subject: Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine
Date: Sun, 28 Oct 2012 23:21:26 +0100
[Message part 1 (text/plain, inline)]
On Fri, 2012-10-26 at 13:18 +0200, Ondřej Surý wrote:
> + It is also advised that
> + you check your custom configuration whether it's not vulnerable to
> + foo.php.jpeg attacks.  The php5_cgi configuration snippet can be used
> + as base - it's important to use FilesMatch or Files directive to
> + limit the handling to the last extension.
Can we perhaps explain a bit more, what the foo.php.jpeg attack is? The
last sentence hints it already a bit,... but I guess without clear
explanation people may simply skip it.



> I think it became clear that we are stuck with no solution which would
> work for anyone
Do you agree... that we should work on some hopefully
general-everything-works framework for jessie?


Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 29 Oct 2012 13:36:09 GMT) Full text and rfc822 format available.

Notification sent to Dmitry Kolesnikov <kastaneda@gmail.com>:
Bug acknowledged by developer. (Mon, 29 Oct 2012 13:36:09 GMT) Full text and rfc822 format available.

Message #169 received at 687307-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 687307-close@bugs.debian.org
Subject: Bug#687307: fixed in php5 5.4.4-9
Date: Mon, 29 Oct 2012 13:33:27 +0000
Source: php5
Source-Version: 5.4.4-9

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 26 Oct 2012 14:32:02 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.4.4-9
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-mysqlnd - MySQL module for php5 (Native Driver)
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 683415 687307
Changes: 
 php5 (5.4.4-9) unstable; urgency=low
 .
   * Add logrotate script for php5-fpm (Closes: #683415)
   * Add more warning text about new php5_cgi apache2 module (Closes: #687307)
   * Add Breaks: php5-suhosin so people don't try to use it with PHP 5.4
Checksums-Sha1: 
 ca0f6fa6959e48f259e41e938498b7e4fc1c4627 3706 php5_5.4.4-9.dsc
 1046c7d3b43742f00e1bdf8fefc9793dfa2eafb3 194997 php5_5.4.4-9.diff.gz
 f5b331d39ff4cf4554efcb48b10a6673811d9821 585568 php5-common_5.4.4-9_amd64.deb
 076d1a4e91f16ce48bb2bae4b6f4cd364b87ead4 2663964 libapache2-mod-php5_5.4.4-9_amd64.deb
 ab117c04021fd788360d1cbd00d7744cbc4e62ac 2662644 libapache2-mod-php5filter_5.4.4-9_amd64.deb
 369d28cddb2d3f6293c1ff858324664ba352efa4 5098324 php5-cgi_5.4.4-9_amd64.deb
 ae3181c9702513b87823496fc37c7d7d80e76f18 2556518 php5-cli_5.4.4-9_amd64.deb
 3f89b0b5da21aff98693fe36afd509385ccc6e98 2588054 php5-fpm_5.4.4-9_amd64.deb
 f71e9f7760eb1348de4b1a5246364404f44f351d 2660916 libphp5-embed_5.4.4-9_amd64.deb
 caea03d7932d52e40ac01d942fc41ea22c5cdb81 497878 php5-dev_5.4.4-9_amd64.deb
 e4cf43958e889313143d05acc1cb0e0e6d786866 15955772 php5-dbg_5.4.4-9_amd64.deb
 9c9b38a557deae950d5998e68c54312adc3bef19 29070 php5-curl_5.4.4-9_amd64.deb
 04e9963c62649aab2ade6da4099dedf3de775041 9920 php5-enchant_5.4.4-9_amd64.deb
 b7bc5315a41ce75326256461947f5c20bf921c19 35690 php5-gd_5.4.4-9_amd64.deb
 44383125b0d10f4819e4c5b2e0792346fc309d7c 17146 php5-gmp_5.4.4-9_amd64.deb
 83e0bab7d41b7328ecc08d574b50478ee5463718 35590 php5-imap_5.4.4-9_amd64.deb
 00ef5f0053fcc082c08b685d7f8ff122fdfccff7 49596 php5-interbase_5.4.4-9_amd64.deb
 81d6407b6f184e8df13ec36b650dde687c585a29 71954 php5-intl_5.4.4-9_amd64.deb
 fb1e2f4bb1398c253fa0d6bf2c98253b387d19a9 21750 php5-ldap_5.4.4-9_amd64.deb
 2f9117c2a7be324888e0c1bfc9ae9571d30bb467 16072 php5-mcrypt_5.4.4-9_amd64.deb
 5ba4e348406adde96dc675bfecbfcaf0667a189d 80850 php5-mysql_5.4.4-9_amd64.deb
 a0302d1d72336bc035e30e593d0df8092a14be59 162362 php5-mysqlnd_5.4.4-9_amd64.deb
 fafa7222785cae34436d67ad4cb231e38f0a5f46 36644 php5-odbc_5.4.4-9_amd64.deb
 e21fc0abc53421fa8b7c804c3d30e30a6484a0b8 61436 php5-pgsql_5.4.4-9_amd64.deb
 4a4c2cf6a9bfcace3576c687b0a884c31d7cf93f 8892 php5-pspell_5.4.4-9_amd64.deb
 e482bffc9ec0a51153009e4fd255d7baf565a6d1 5190 php5-recode_5.4.4-9_amd64.deb
 ee029b4941ef47b51e32913422dbce9a50ee2150 21798 php5-snmp_5.4.4-9_amd64.deb
 ad81267ff4000fc8048c7bb3833de874218614d2 30340 php5-sqlite_5.4.4-9_amd64.deb
 5c1faffff36d66a83af82024a61487a19b174bad 28160 php5-sybase_5.4.4-9_amd64.deb
 150b6e6434c64da06074e826522c082308707257 19584 php5-tidy_5.4.4-9_amd64.deb
 9590133470dc7cbe26d7f50c6d0f5a3a54c596fb 36276 php5-xmlrpc_5.4.4-9_amd64.deb
 e7f11814cf927b078b32ea26f11629311121c335 15402 php5-xsl_5.4.4-9_amd64.deb
 3c5d851138e7e71f6936451abf370f3e2d9f168c 1020 php5_5.4.4-9_all.deb
 281d3b7f3f351357fddb34f7f00359e5f899cb97 367394 php-pear_5.4.4-9_all.deb
Checksums-Sha256: 
 734ba6d2a8e6ae785a046ae80203e898c00ac50858d181231a1c7c6dffcafffb 3706 php5_5.4.4-9.dsc
 ffaa6ed8ecbd2ceb76594d41dbf509489d413c314196366d08f7b13747e38c7d 194997 php5_5.4.4-9.diff.gz
 c06b2014b6584c9f9b4e10986a6fea004b219396c4432105390dd953de5d02f5 585568 php5-common_5.4.4-9_amd64.deb
 32f58743ea292b1c48188142aede360516b119438c043b8a252d807efc8fdec6 2663964 libapache2-mod-php5_5.4.4-9_amd64.deb
 709b2e21eda2890e1cda98537e602cf93f0380ad1e8ced6476febf55f8dbe2d9 2662644 libapache2-mod-php5filter_5.4.4-9_amd64.deb
 97ef38761056be5c8ea561b4a245620fba6061e0d76de823d281dd125fe71602 5098324 php5-cgi_5.4.4-9_amd64.deb
 c128a5e8b72e975743c48124fa301e9f3bb0e7684bbba9d44735e271d07bcd25 2556518 php5-cli_5.4.4-9_amd64.deb
 5cc36fabb19c6adbd2ae8ffba695fb4c20376af2c2276707fa15a50c33b32407 2588054 php5-fpm_5.4.4-9_amd64.deb
 b79525eae90477ef0e24bf173c36b0e9e812fb1e0fd6e1c56089bb9e056c3e1b 2660916 libphp5-embed_5.4.4-9_amd64.deb
 8a0a647996735ff0d1b8dd2eba0160d4de24f7f4a3bbb6cf9ac6187bb4f9a93d 497878 php5-dev_5.4.4-9_amd64.deb
 fc81dd78c9d2783c8928d258f5c82491413696181645ff3c2400a7aed20063e6 15955772 php5-dbg_5.4.4-9_amd64.deb
 ec6e2ded46ba8ff2958b877e13aac00faa0cddff88752a66890f990745f54beb 29070 php5-curl_5.4.4-9_amd64.deb
 4188b620be76f75297e9fbcc1e69ed71a6ad99d7cd3098a0a3076e490210e989 9920 php5-enchant_5.4.4-9_amd64.deb
 a9b25483d262b6f492b9aac69bd3c09f5526f879237dcd8d5ff4498ae224447b 35690 php5-gd_5.4.4-9_amd64.deb
 70fdd11f0fb30a03fdcdfba78bef7e09a5bce38bb5c83815d838e114ca43761e 17146 php5-gmp_5.4.4-9_amd64.deb
 206d661b9ecafc42bbc15712c6370b67e6db7a0bd2415a3a335d5ef9ca45f076 35590 php5-imap_5.4.4-9_amd64.deb
 5a247b791ee3ca33c1ad4cd2f0091cfe442c4c940428eeeb71b908d692832dc0 49596 php5-interbase_5.4.4-9_amd64.deb
 f7235b17bb8b0cab8919138835941d2a0556c6612acfda8a5b1bbfe04983ca80 71954 php5-intl_5.4.4-9_amd64.deb
 d3ba1115378cb20614f260eef13c0356b19cc0e41a6c0cd358c5fd533a05c8e4 21750 php5-ldap_5.4.4-9_amd64.deb
 505e3e326be6d3bd021a10ab2c04ba83dddc60b1cecbc3a92825233203a584d1 16072 php5-mcrypt_5.4.4-9_amd64.deb
 e4dbce406a609e040f3c81e1736d0b6fc47991a3dda655486e46e022f30f190c 80850 php5-mysql_5.4.4-9_amd64.deb
 ba85a4e9a965006246114ead2987e3701f9c94e555d9d53fead3158742791c7a 162362 php5-mysqlnd_5.4.4-9_amd64.deb
 3e9aee5156dc30db20218e38dde14a504eb18cadeb9ed308c26de5e6b250ace5 36644 php5-odbc_5.4.4-9_amd64.deb
 b0f39a343d1b7c5ae91a914f518a648277efdd2d26e2762efb1bf9edce8fba10 61436 php5-pgsql_5.4.4-9_amd64.deb
 fcbd5e8aa3b8ff3724d1505fe7de5945cf34b8ad6656157f67fbf6ff5d23f251 8892 php5-pspell_5.4.4-9_amd64.deb
 80fcbfa94f429738a88da37322bf8f9de120fb1dc0b2cb02341e78dc21843d9c 5190 php5-recode_5.4.4-9_amd64.deb
 80fdf684bfe0bfa34bfbb3ec9cd1d7818b19cbe9ed2f64ef2fe5a489d4ea51e5 21798 php5-snmp_5.4.4-9_amd64.deb
 90155bc8acb363b515bfb46464d3a384fc43d6f21120cbc9e47195a1c643399f 30340 php5-sqlite_5.4.4-9_amd64.deb
 474d0082eda4c48e434941e649a0e7cd18ce67b6e4fde6f0cd54c499af4fca30 28160 php5-sybase_5.4.4-9_amd64.deb
 c5806acb807bb3a7a79e7701303f683498189dcc5cb8597dbb3f0282307428fe 19584 php5-tidy_5.4.4-9_amd64.deb
 bb9978e0fe5228fce6f5bf43db714e7e5c42b625acdee072eafdce54d01e7859 36276 php5-xmlrpc_5.4.4-9_amd64.deb
 2a78ab1823d6ab5fcc71f5857e1c6900ce885b085cb2eb2b6a167f0303a20c68 15402 php5-xsl_5.4.4-9_amd64.deb
 adcfd9dc32aa649ee33717810aba0fe8f1bebdb34c440b349f591f4a887de623 1020 php5_5.4.4-9_all.deb
 8b40b2db996afe72ba8529ca0901aa8c29b2e725a2b53d94dc23cede6f7ec4b1 367394 php-pear_5.4.4-9_all.deb
Files: 
 78febc219b208da3125f6da9151cd91b 3706 php optional php5_5.4.4-9.dsc
 018c64114f753f0d2d0cc9a9acf5fb09 194997 php optional php5_5.4.4-9.diff.gz
 dcaeb98a55cc95ef2b0c793511612442 585568 php optional php5-common_5.4.4-9_amd64.deb
 1539fcd449045230a08d2e9e0a9f5739 2663964 httpd optional libapache2-mod-php5_5.4.4-9_amd64.deb
 02ca717bf22b44b71f3862fab16e1a7f 2662644 httpd extra libapache2-mod-php5filter_5.4.4-9_amd64.deb
 cd50bbd51d5bbce5c8b399c53325686c 5098324 php optional php5-cgi_5.4.4-9_amd64.deb
 efe7bddd0dcf0ac540ab6642654ef5d5 2556518 php optional php5-cli_5.4.4-9_amd64.deb
 e8ceca4516a9e37e6d5323ac5f632536 2588054 php optional php5-fpm_5.4.4-9_amd64.deb
 00342aa66d515bbcf03c19c851942d54 2660916 php optional libphp5-embed_5.4.4-9_amd64.deb
 2428fba80a9892241abbb4427f681149 497878 php optional php5-dev_5.4.4-9_amd64.deb
 9dfc060e3318920f0de9cd5ec20b5c07 15955772 debug extra php5-dbg_5.4.4-9_amd64.deb
 26ad2dae405b1fb8ed2b23e77b804667 29070 php optional php5-curl_5.4.4-9_amd64.deb
 54b573513e217a8b847bd3baa2f58173 9920 php optional php5-enchant_5.4.4-9_amd64.deb
 8893860a5a0e323cb9e098448fe93f06 35690 php optional php5-gd_5.4.4-9_amd64.deb
 659c8357012fe6a98fb182b691ee2749 17146 php optional php5-gmp_5.4.4-9_amd64.deb
 aecc6be56077fc5bdb94df178cc2c69f 35590 php optional php5-imap_5.4.4-9_amd64.deb
 0e68721d3c22a1f539176b7dcbf2e17f 49596 php optional php5-interbase_5.4.4-9_amd64.deb
 a5cd7a928c50df690d8ea767ee14c78a 71954 php optional php5-intl_5.4.4-9_amd64.deb
 7e104312a382e0fa4f1ae2dff4183096 21750 php optional php5-ldap_5.4.4-9_amd64.deb
 7bd97aac54b602a610d644fba174797d 16072 php optional php5-mcrypt_5.4.4-9_amd64.deb
 25c1deabd36ec85d384300066c28107b 80850 php optional php5-mysql_5.4.4-9_amd64.deb
 be39bbdc77a255faff8192680688f33c 162362 php extra php5-mysqlnd_5.4.4-9_amd64.deb
 e8b01314327889799909256250c1135d 36644 php optional php5-odbc_5.4.4-9_amd64.deb
 e3813891b20d84c6fec6a1bdf56cfea1 61436 php optional php5-pgsql_5.4.4-9_amd64.deb
 81e04060981cd6d74a144570840a813d 8892 php optional php5-pspell_5.4.4-9_amd64.deb
 5fae649200ee49f4226d5e43e2011e0b 5190 php optional php5-recode_5.4.4-9_amd64.deb
 7a5dc8c270422e4fd777e82d4376b56b 21798 php optional php5-snmp_5.4.4-9_amd64.deb
 0edbee959cb246817dd8db9fddd4a88e 30340 php optional php5-sqlite_5.4.4-9_amd64.deb
 634d05e2d610d7a33340b866c97cf3fc 28160 php optional php5-sybase_5.4.4-9_amd64.deb
 2d189a8b3a35d0afa2d2effb4455c4c7 19584 php optional php5-tidy_5.4.4-9_amd64.deb
 3e1817767b91128f55d61bf2ff203280 36276 php optional php5-xmlrpc_5.4.4-9_amd64.deb
 a3435437e54e9018dc70bfcdc076a615 15402 php optional php5-xsl_5.4.4-9_amd64.deb
 cbe8ff1d4748c39bce39e9b3d13aa2c4 1020 php optional php5_5.4.4-9_all.deb
 6736568a6aa413840001c072d4e62d1e 367394 php optional php-pear_5.4.4-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlCOgbMACgkQ9OZqfMIN8nM50ACgr5N2lRFRKBVEscS5QxfrLSbr
YA8An0X4jnlWOJrvh3PTJX7GniCZsIh+
=shYk
-----END PGP SIGNATURE-----




Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 29 Oct 2012 13:36:10 GMT) Full text and rfc822 format available.

Notification sent to Matthias Urlichs <matthias@urlichs.de>:
Bug acknowledged by developer. (Mon, 29 Oct 2012 13:36:10 GMT) Full text and rfc822 format available.

Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 29 Oct 2012 13:36:11 GMT) Full text and rfc822 format available.

Notification sent to Christoph Kling <christoph@kling.org>:
Bug acknowledged by developer. (Mon, 29 Oct 2012 13:36:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 11 Dec 2012 07:26:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:57:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.