This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as. Also please pay attention to the suphp.conf env_path. Documentation says: env_path: Content of the "PATH" environment variable. Set this to a safe value. The value has to be enclosed in quotes or colons have to be escaped with the backslash character. The default value is "/bin:/usr/bin". The default config comes WITHOUT the quotes for the env_path causing php to only look at "/bin". Reproducible: Always
This package has no maintainer so this bug may go unnoticed for a long time. Gentoo has a dedicated team[1] for assisting users in maintaining orphaned packages. If you are interested in maintaining this package, please contact proxy-maint@gentoo.org. [1]: http://www.gentoo.org/proj/en/qa/proxy-maintainers/index.xml
Created attachment 352998 [details] mod_suphp-0.7.2.ebuild modified inherit add src_prepare
Created attachment 353000 [details] suphp.conf modified suphp.conf to cover my needs .. most of it should be wide applicable - set loglevel to warn ( info ) - set docroot to /home ( /var/www/ ) - fix the env_path - added handlers for PHP 5.2 - 5.5
Created attachment 353002 [details] 70_mod_suphp.conf Added Handlers 5.2 - 5.5
Created attachment 353004 [details] 70_mod_suphp.conf Added Handlers 5.2 - 5.5 Reassigned .php4 to Handler application/x-httpd-php5 . Dont support PHP4 anymore, last update 4 and a half year ago ..
Created attachment 353060 [details] mod_suphp-0.7.2.ebuild fixed inherit class to support "confutils_require_one mode-force mode-owner mode-paranoid" again ebuild works fine for me on x86_64.
Looks like killing this would be safer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738133
dropped