Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 39952 - php / apache vhost security problem
Summary: php / apache vhost security problem
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2004-01-31 03:14 UTC by Carsten Lohrke (RETIRED)
Modified: 2004-02-08 03:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Tim Yamin (RETIRED) gentoo-dev 2004-01-31 07:24:19 UTC
I forgot to add that we also have for Apache 1.x.
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2004-01-31 13:36:54 UTC
Yuk.  Working on new ebuilds now.

Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-01-31 14:41:56 UTC
Okay, a patch for apache1 and apache2 has been committed.  mod_php-4.3.4-r3 has been marked as ~arch until robbat2 has had a chance to look at it.

I'm happy with this on apache2.  Someone needs to test this on apache1.  I don't have a machine I can downgrade to apache1 for testing this.

Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-01-31 15:02:08 UTC
Of course, it helps if I patch *all* the occurances of this problem that plasmaroo found ... ;-)

New patch committed to CVS.
Comment 7 solar (RETIRED) gentoo-dev 2004-01-31 15:05:20 UTC
Do we set register globals on or off by default?
Comment 8 Tim Yamin (RETIRED) gentoo-dev 2004-01-31 15:08:17 UTC
Thanks Stuart - now over to the Ned-or-Rajiv-or-Somebody-please-approve-this-GLSA department.
Comment 9 Tim Yamin (RETIRED) gentoo-dev 2004-01-31 15:09:57 UTC
23:09 <@Stuart> plasmaroo: it should ship with 'register globals' set to off
Comment 10 solar (RETIRED) gentoo-dev 2004-01-31 18:29:57 UTC
Can you please note in the Impact of the GLSA that Gentoo ships/builds php with register globals off.
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-01-31 23:55:13 UTC
stuart: all looks ok, go ahead and move it to x86.
Comment 12 Tim Yamin (RETIRED) gentoo-dev 2004-02-08 03:03:05 UTC
GLSA 200402-01 was sent out, so this can be closed.