Dear all,
thanks everybody for your patience. I know how frustrating it is when one
discussion has to be restarted from scratch because of newcommers.
I understand that Christoph is not satisfied about the final implementation
and, in his opinion, a lack of optimisation, but I cannot comment on
Le Thu, Aug 16, 2012 at 01:14:58AM +0200, Christoph Anton Mitterer a écrit :
On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
Stefan, can you please elaborate on what you mean with magic MIME
types? (you're talking about MIME type discovery via libmagic or
similar? That would be
On Fri, 2012-08-17 at 08:00 +0900, Charles Plessy wrote:
- In Squeeze, using default configurations, files with .php in their name
such as foo.php.jpeg are executed as PHP scripts by the Apache web
server.
Looking at mod-php5 5.3.3-7+squeeze14:
not vulnerable, but not optimised either
On Wed, Aug 15, 2012 at 4:34 AM, Christoph Anton Mitterer
cales...@scientia.net wrote:
On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
For the moment there is the draft proposed by Christoph at
http://bugs.debian.org/674089#66
I should note perhaps, that this draft expected all the
Thanks for coming up with some wording.
On Wednesday 15 August 2012, Ondřej Surý wrote:
In order to avoid any problems when not using Apache PHP5 module,
and if you relied on MIME type definitions, read the README.Debian
from the php5-common package on how to correctly configure PHP 5
On Wed, 2012-08-15 at 10:40 +0200, Ondřej Surý wrote:
With the exception of RemoteType php they are all in the place.
I've just had a look into git (I guess that's the canonical location?):
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob_plain;f=debian/php5-common.README.Debian;hb=HEAD
On Wed, 2012-08-15 at 21:07 +0200, Stefan Fritsch wrote:
Since we have gone to great pains to not use the magic MIME types
anymore, I think we should not recommend them here. Or at least not as
the first option.
Stefan, can you please elaborate on what you mean with magic MIME types?
(you're
On Wednesday 15 August 2012, Christoph Anton Mitterer wrote:
On Wed, 2012-08-15 at 21:07 +0200, Stefan Fritsch wrote:
Since we have gone to great pains to not use the magic MIME types
anymore, I think we should not recommend them here. Or at least
not as the first option.
Stefan, can you
On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
Stefan, can you please elaborate on what you mean with magic MIME
types? (you're talking about MIME type discovery via libmagic or
similar? That would be not what's suggested above!)
The mime types that are also handler names and
Charles,
On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy ple...@debian.org wrote:
Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
Question: Can any other webservers use mod_php? If so, they _might_ be
vulnerable, as the supplied Apache config snippet probably
Hi Ondřej,
On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy ple...@debian.org wrote:
Yes, I will probably add NEWS file to php5-cgi. Do you already have some
text which can be added to release notes or we still need to cook something
up? I would like to keep this text in sync.
For the
On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
For the moment there is the draft proposed by Christoph at
http://bugs.debian.org/674089#66
I should note perhaps, that this draft expected all the proposals I made
in #674205 to be in place, which they were not yet, when I've looked the
Hi Christoph and PHP maintainers,
my answers follow this long quote about a possible release note.
For those in CC, please tell if you do not want to get copies anymore.
Le Mon, Aug 13, 2012 at 01:44:23AM +0200, Christoph Anton Mitterer a écrit :
What about:
On Tue, 2012-08-14 at 08:06 +0900, Charles Plessy wrote:
+ You should also be aware, that a server deployed in CGI mode is open
+ to several possible vulnerabilities, see upstream CGI security page
+ to learn ow to defend yourself from such attacks:
+
Le Tue, Aug 14, 2012 at 02:27:33AM +0200, Christoph Anton Mitterer a écrit :
Question: Can any other webservers use mod_php? If so, they _might_ be
vulnerable, as the supplied Apache config snippet probably doesn't apply
to them.
Most people I know run either CGI (if just security
counts)
On Sat, 2012-08-04 at 12:44 +0900, Charles Plessy wrote:
do I understand correctly that the problem would be solved by documenting the
change in the release notes ?
Well as said, I do _NOT_ consider this to be enough (see my previous
mail for my proposed steps).
If yes, can somebody write a
Le Wed, Aug 01, 2012 at 01:54:30AM +0200, Christoph Anton Mitterer a écrit :
I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:
1) something in the release notes
2) the NEWS files of at least
mime-types, apache,
Hey folks.
How are things going with this issue?
I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:
1) something in the release notes
2) the NEWS files of at least
mime-types, apache, php5-common (mod_php is not enough)
On Friday 01 June 2012, Christoph Anton Mitterer wrote:
Release notes is a good idea, Stefan, Brian... can anyone of you
take care of this or should I (but I'm on vacation starting next
Tue, so that would take some time).
There is still plenty of time. If you get to it first please cc:
On Thursday 31 May 2012, Christoph Anton Mitterer wrote:
So from my side I'd say the following:
1) IF a change like this happens,.. it definitely must go to the
NEWS file, as - in the case of Apache HTTPD Server - it can even
have security relevant outcomes.
So Brian, as long as this change
On Fri, 2012-06-01 at 16:16 +0200, Stefan Fritsch wrote:
I would vote for
the release notes plus
Release notes is a good idea, Stefan, Brian... can anyone of you take
care of this or should I (but I'm on vacation starting next Tue, so that
would take some time).
either apache2 or mod_php
On 01.06.2012 17:21, Christoph Anton Mitterer wrote:
Neither am I sure, whether Apache is enough, there may be other
webservers in Debian that could use mime.types (though I haven't checked
this).
Lighttpd - at very least - uses /etc/mime.types as well.
--
with kind regards,
Arno Töll
IRC:
In 3.52-1 you removed application/x-httpd-* to close #589384.
I have no preference to it being present or not. It was marked as release
critical by the Apache/PHP folks. Decide among yourselves what is correct
and I'll make it that way.
-- Brian
This happened without any notice to the
So from my side I'd say the following:
1) IF a change like this happens,.. it definitely must go to the NEWS
file, as - in the case of Apache HTTPD Server - it can even have
security relevant outcomes.
So Brian, as long as this change stays, could you please add such
information?
2) I Agree with
On Thursday 31 May 2012 11:33:19 Christoph Anton Mitterer wrote:
I therefore propose the following changes, which should be also ok for
the apache folks:
a) Add these type definitions back to mime.types
No, they don't even describe .php files correctly. There should really be no
On Thu, 2012-05-31 at 12:21 -0500, Raphael Geissert wrote:
No, they don't even describe .php files correctly. There should really be no
application/x-httpd-* entry in mime.types.
Why not? application is the designated type family for scripts.
Perhaps .php and others should be added back as
Package: mime-support
Version: 3.52-1
Severity: critical
Tags: security
Justification: breaks unrelated software
Hi.
In 3.52-1 you removed application/x-httpd-* to close #589384.
This happened without any notice to the NEWS files and I really
wonder whether any though has been spent on which
27 matches
Mail list logo
