On Friday 25 May 2012 03:05:20 Hendrik Schmieder wrote: > John Iliffe schrieb: > > On Thursday 24 May 2012 13:05:10 Luke Lozier wrote: > >> One of the PCI scanning companies is demanding an upgrade to 2.4.2 > >> due to the issues described in this CVE: Changes with Apache 2.2.23 > >> > >> *) SECURITY: CVE-2012-0883 (cve.mitre.org) > >> > >> envvars: Fix insecure handling of LD_LIBRARY_PATH that could > >> lead > >> > >> to the current working directory to be searched for DSOs. [Stefan > >> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather > >> not upgrade to 2.4.2 > > > > I got caught the same way in March (re PCI scanning). Guess my guy is > > more up to date than yours! > > > > There should be no reason that I found not to update to 2.4.2 BUT BE > > CAREFUL OF THE CONFIG FILE CHANGES! For example the "order deny > > allow" format directives no longer work in 2.4.*. There are a few > > other changes. > > > > Also, do not be tempted to update to PHP 5.4.0 as it will cause > > segfaults in all the child processes for reasons that escape me > > completely. Use a 5.3.x version. This may be my problem but someone > > on this list was able to confirm the issue and said that it is a PHP > > issue. It may be resolved by now. > > That's a little bit unclear. > In their release announcement they said it is fixed > "Fixed bug #61172 (Add Apache 2.4 support)." > <http://www.php.net/archive/2012.php#id2012-04-26-1> > > But in the changelog #61172 is only listed for 5.3.11, > but not for 5.4.1. > > Hendrik > I think this memo is really directed to me and the comment about PHP 5.4.0 not working with Apache 2.4.1 and 2.4.2. If so, what happened (documented in a closed request to this list) was that I compiled both these Apache versions in late March against PHP 5.4.0 which was the latest version at the time. Haven't looked since. Apache worked fine but the PHP scripts were displayed in raw form on the client instead of the expected result. These are scripts that have been working properly for years. I finally discovered from the Apache error log that whenever a PHP script was processed one of the child processes segfaulted. I wrote up a request to this forum and someone was able to confirm it was a PHP problem so I reported it to their help but was unable to figure out how to get the documentation that was required (traces and so forth) so the report was closed. What happened beyond that I can't say. Hope that is useful. Regards, John > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|