Hello, "Steinar H. Gunderson" schrieb am 7.5.2012: > On Mon, May 07, 2012 at 04:20:08PM +0200, Henrik Heil wrote: >> [...] would this qualify for the next point release [...]? > > I doubt it; as I see it, it falls outside what would usually be considered > applicable for stable, but the Apache maintainers and Stable Release Managers > might disagree. You should probably ask them.
as suggested by Steinar, I'd like to try my luck and ask for the chances to accept a fix for mpm-itk in stable-proposed-updates. The bug (that is fixed in testing) causes a intermittent denial of service under certain (arguably rare) conditions that cannot be completely avoided in a shared hosting environment mpm-itk was invented for in the first place. The conditions are: 1) KeepAlive On 2) A .htaccess file that is not world readable. 3) A visitor who requests virtual hosts that have been assigned to different user-IDs in one connection. It is not a security issue. I think it could qualify as important enough for stable-proposed-updates because: a) If triggered, the users are effectively locked out. The end-user reflex to hit reload on an unconditional error prolongs the lockout until MaxKeepAliveRequests is reached. b) The conditions are not as rare as one might think. 1) and 2) are good practice and 3) depends on the use case. We encountered the error as one of our clients wanted to separate web-applications of different maintainers for security reasons. Since he needed to switch between these applications often, he triggered the error easily. c) There is no feasible workaround, given that you have to support mod_php (not cgi) and need the different user-IDs. d) The patch [1] is small and looks innocent enough to the untrained eye. [1] http://mpm-itk.sesse.net/apache2.2-mpm-itk-2.2.17-01/11-fix-htaccess-reads-for-persistent-connections.patch Thanks for considering, Henrik -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
