Package: php5-cgi Version: 5.4.4-7 I use FastCGI version of PHP and I have manually configured Apache's mod_fcgid and mod_suexec. After upgrade php5_cli to 5.4.4-7, Apache suddenly began to pass source PHP scripts without handling. This can be a serious security concern for those sites that do not store sensitive scripts (like configuration of database connections) outside of document root.
After performing a2dismod php5_cgi everything returned to normal. I guess this is impact of the bug #685340. Here is some piece of my configuration files, with real domain replaced to 'example.com' and username replaced to 'example': /etc/apache2/conf.d/php-fcgid ===================== Alias /fcgi-bin/ /var/www/fcgi-bin.d/ ProcessLifeTime 3600 MaxRequestsPerProcess 20000 FcgidMaxRequestLen 10485760 FcgidPassHeader AUTHORIZATION <Location /fcgi-bin/> SetHandler fcgid-script Options +ExecCGI </Location> /etc/apache2/sites-enabled/example.com ===================== <VirtualHost *:80> ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com <Directory /var/www/example.com> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> AddHandler php-fcgi .php Action php-fcgi /fcgi-bin/example/php-fcgi-wrapper SuexecUserGroup example example ErrorLog ${APACHE_LOG_DIR}/example.com/error.log CustomLog ${APACHE_LOG_DIR}/example.com/access.log combined </VirtualHost> /var/www/fcgi-bin.d/gray/php-fcgi-wrapper ===================== #!/bin/sh export PHPRC=/etc/php5/cgi export PHP_FCGI_MAX_REQUESTS=25000 exec /usr/bin/php5-cgi For this configuration, a2enmod'ed php5_cgi and Drupal website it's possible to see the MySQL password in the cleartext when requesting /sites/default/settings.php on that site. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org