Patch from CVS: http://chora.php.net/diff.php/php-src/sapi/apache2handler/sapi_apache2.c?login=2&r1=220.127.116.11&r2=18.104.22.168&ty=u
I forgot to add that we also have http://chora.php.net/diff.php/php-src/sapi/apache/mod_php5.c?login=2&r1=1.7&r2=1.8&ty=u for Apache 1.x.
Yuk. Working on new ebuilds now.
Okay, a patch for apache1 and apache2 has been committed. mod_php-4.3.4-r3 has been marked as ~arch until robbat2 has had a chance to look at it.
I'm happy with this on apache2. Someone needs to test this on apache1. I don't have a machine I can downgrade to apache1 for testing this.
Of course, it helps if I patch *all* the occurances of this problem that plasmaroo found ... ;-)
New patch committed to CVS.
Do we set register globals on or off by default?
Thanks Stuart - now over to the Ned-or-Rajiv-or-Somebody-please-approve-this-GLSA department.
23:09 <@Stuart> plasmaroo: it should ship with 'register globals' set to off
Can you please note in the Impact of the GLSA that Gentoo ships/builds php with register globals off.
stuart: all looks ok, go ahead and move it to x86.
GLSA 200402-01 was sent out, so this can be closed.