From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-789856-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id AED1B138A6C
	for <garchives@archives.gentoo.org>; Sun,  5 Apr 2015 23:09:15 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4E7B1E093D;
	Sun,  5 Apr 2015 23:09:15 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id D2476E093D
	for <gentoo-commits@lists.gentoo.org>; Sun,  5 Apr 2015 23:09:14 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id EDA093409DF
	for <gentoo-commits@lists.gentoo.org>; Sun,  5 Apr 2015 23:09:13 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 9738A154A8
	for <gentoo-commits@lists.gentoo.org>; Sun,  5 Apr 2015 23:09:12 +0000 (UTC)
From: "Sebastian Pipping" <sping@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sebastian Pipping" <sping@gentoo.org>
Message-ID: <1428275331.48f5fc4cf0ab6ef4fbdcb7f3b86110cf54a8840b.sping@gentoo>
Subject: [gentoo-commits] proj/gentoo-news:master commit in: 2015/2015-04-06-apache-addhandler-addtype/
X-VCS-Repository: proj/gentoo-news
X-VCS-Files: 2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt 2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
X-VCS-Directories: 2015/2015-04-06-apache-addhandler-addtype/
X-VCS-Committer: sping
X-VCS-Committer-Name: Sebastian Pipping
X-VCS-Revision: 48f5fc4cf0ab6ef4fbdcb7f3b86110cf54a8840b
X-VCS-Branch: master
Date: Sun,  5 Apr 2015 23:09:12 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 1b9cc962-545e-49f5-8d1c-d6b858c8237b
X-Archives-Hash: a3794842c6f2d69d5a9c30a1d0fb1ea5

commit:     48f5fc4cf0ab6ef4fbdcb7f3b86110cf54a8840b
Author:     Sebastian Pipping <sebastian <AT> pipping <DOT> org>
AuthorDate: Sun Apr  5 22:50:59 2015 +0000
Commit:     Sebastian Pipping <sping <AT> gentoo <DOT> org>
CommitDate: Sun Apr  5 23:08:51 2015 +0000
URL:        https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=48f5fc4c

Add news item "Apache AddHandler/AddType vulnerability protection"

 .../2015-04-06-apache-addhandler-addtype.en.txt    | 96 ++++++++++++++++++++++
 ...2015-04-06-apache-addhandler-addtype.en.txt.asc |  7 ++
 2 files changed, 103 insertions(+)

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
new file mode 100644
index 0000000..d7d58af
--- /dev/null
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
@@ -0,0 +1,96 @@
+Title: Apache AddHandler/AddType vulnerability protection
+Author: Sebastian Pipping <sping@gentoo.org>
+Content-Type: text/plain
+Posted: 2015-04-06
+Revision: 1
+News-Item-Format: 1.0
+Display-If-Installed: www-servers/apache
+
+Apache's directives AddHandler [1] and AddType [2] can be used
+to map certain file name extensions (e.g. .php) to a handler
+(e.g. application/x-httpd-php).  While a line like
+
+  AddHandler application/x-httpd-php .php .php5 .phtml
+     ^^^^^^^
+matches index.php, it also matches index.php.png.
+With
+
+  AddType application/x-httpd-php .php .php5 .phtml
+     ^^^^
+index.php.png is not executed, but index.php.disabled still is.
+
+
+Apache's notes on multiple file extensions [3] document
+a multi-language website as a context where that behavior
+may be helpful.  Unfortunately, it can be a security threat.
+
+Combined with (not just PHP) applications that support
+file upload, the AddHandler/AddType directive can get you into
+remote code execution situations.
+
+That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
+and is shipping
+
+  <FilesMatch "\.(php|php5|phtml)$">
+    SetHandler application/x-httpd-php
+  </FilesMatch>
+
+instead.
+
+
+Why this news entry?
+
+ * Since Apache configuration lives below /etc,
+   you need to run etc-update (or a substitute)
+   to actually have related fixes applied.
+
+ * If you are currently relying on AddHandler to execute
+   secret_database_stuff.php.inc, moving away from AddHandler
+   could result in serving your database credentials in plain
+   text.  A command like
+
+     find /var/www/ -name '*.php.*' \
+                 -o -name '*.php5.*' \
+                 -o -name '*.phtml.*'
+
+   may help discovering PHP files that would no longer be executed.
+
+   Shipping automatic protection for this scenario is not trivial,
+   but you could manually install protection based on this recipe:
+
+     <FilesMatch "\.(php|php5|phtml|phps)\.">
+       # a) Apache 2.2 / Apache 2.4 + mod_access_compat
+       #Order Deny,Allow
+       #Deny from all
+
+       # b) Apache 2.4 + mod_authz_core
+       #Require all denied
+
+       # c) Apache 2.x + mod_rewrite
+       #RewriteEngine on
+       #RewriteRule .* - [R=404,L]
+     </FilesMatch>
+
+ * You may be using AddHandler or AddType at other places,
+   including off-package files.  Please have a look.
+
+ * app-eselect/eselect-php is not the only package affected.
+   There is a dedicated tracker bug at [4].
+   As of the moment, affected packages include:
+
+     app-eselect/eselect-php[apache2]
+     net-nds/gosa-core
+     www-apache/mod_fastcgi
+     www-apache/mod_flvx
+     www-apache/mod_python
+     www-apache/mod_suphp
+     www-apps/moinmoin
+     www-apps/rt[-lighttpd]
+
+
+Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.
+
+[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
+[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
+[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
+[4] https://bugs.gentoo.org/show_bug.cgi?id=544560

diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
new file mode 100644
index 0000000..6009404
--- /dev/null
+++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlUhwHwACgkQsAvGakAaFgCENgCZAYxX6GOQsU+k50P2r1SWIRQp
+mmwAoKGcmcQVTM9uBTNp+s0cU2lByHPT
+=uDRW
+-----END PGP SIGNATURE-----