On Mon, May 07, 2012 at 09:29:57PM +0200, Henrik Heil wrote: > It is not a security issue. I think it could qualify as important > enough for stable-proposed-updates because:
FWIW, I don't think this is a security issue. I would not oppose the inclusion of the fix, though; it's been in newer versions of mpm-itk for a long time now without any reports of problems, and it fixes what's perhaps the most commonly reported problem on the mpm-itk lists. > b) The conditions are not as rare as one might think. 1) and 2) are > good practice and 3) depends on the use case. We encountered the > error as one of our clients wanted to separate web-applications > of different maintainers for security reasons. Since he needed to > switch between these applications often, he triggered the error > easily. FWIW, the most common cause of this (from what I can surmise from people's bugs) would probably be when using a reverse proxy. > c) There is no feasible workaround, given that you have to support > mod_php (not cgi) and need the different user-IDs. Well, you could turn off KeepAlive. And you could run different uids on different IP addresses or ports, although especially the latter is only feasible in the reverse-proxy scenario. /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
