Somebody committed a change without revbumping Apache that disables mod_cgi by default. Aside from breaking previously expected behavior, this presents a huge potential for code and password leaks. Reproducible: Always
Why does it need a revision bump? The files installed has not changed. Only the default use flags. If you're running production servers / code you: a) Don't keep passwords and other sensitive data under the document root b) Examine all use flag changes, revision bump or not How would a revision bump change anything in this scenario? If the admin missed the changes for an update that wasn't a revision bump, why are they going to notice them for a revision bump?
A revbump would be sent to testing where things like this can be ironed out. This was a major in flight feature change and should not have been thrown immediately into the stable stream, if only for the fact to make sure nothing breaks. The simple solution is to make mod_cgi a default module as it used to be, or provide an appropriate buffer and news item if it is to be disabled by default. As it stands, this is is a security and information leaking issue regardless of best practice. Code leaks are unavoidable for some applications as cgi uses the ScriptAlias.
This also hit me. It can indeed lead to code or database login leaks, and for me personally, things like this take away a bit of the ease of using gentoo as server (system administration hates changing defaults). :/ Of course one would notice the change before restarting when using etc-update or dispatch-conf, yet it's not nice. If the apache team wants to keep "-cgi -cgid", I guess an ewarn would be nice. BTW: where could I track decisions like this, or are they only discussed internally within the apache team?
Bug #327327.
although i fully agree with comment #1 i have added cgi and cgid to the default use flags because it makes sense to have them as default, not because of security holes opened up by performed upgrades without prior checking what they do.
(In reply to comment #5) > although i fully agree with comment #1 i have added cgi and cgid to the default > use flags because it makes sense to have them as default, not because of > security holes opened up by performed upgrades without prior checking what they > do. > This attitude is wrong and you are preaching to the choir about ideal practices. The lesson learned should be to not introduce nontrivial changes immediately into stable. The change, necessary for 389 directory server, could have been queued with a dependency on the unstable revbump where hopefully implications like this would become known with minimal impact.