On 2012-04-19 15:08:55 +0000, Camaleón wrote: > On Wed, 18 Apr 2012 18:24:34 +0200, Vincent Lefevre wrote: > > On 2012-04-17 15:39:48 +0000, Camaleón wrote: > >> On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote: > >> > IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be > >> > active (at least concerning the scripting features) by default unless > >> > this is explicitly told with some "Options" for the concerned > >> > directory. > >> > >> I can be wrong but the bug seems aimed to correct the package which > >> contains the file that enables the alias by default, hence the apache2 > >> package. > > > > But the user isn't necessarily the administrator. If the admin installs > > mod_php, making the bug appear if the user has added a symlink to > > /usr/share/doc, that's very bad. > > Sure, but in such case the user (who is in charge of the "alias" for > their domains) will have to manually make the required corrections and > the same goes for the vhosts.
Except that if the user doesn't do this, the same security problem will occur. > There are times when a global solution can't be applied and this > seems to be one of that situations. There is a better solution: to fix mod_php and mod_rivet. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120419235029.ga5...@xvii.vinc17.org
