On Fri, Mar 07, 2003 at 04:56:32PM +0100, Emmanuel Dreyfus wrote:
> Hi all
> 
> I rencently upgraded Apache because of the recent PHP security hole. Since that
> day, my httpd processes get hundred of SIGSEGV a day. Sometime, the httpd 
> master process even dies, routhly every 3 days. I had to set uo a crontab to 
> relaunch apache if it died. 
> 
> The crashes do not aloways happen at the same place. Here are two backtrace
> collected from the httpd core dump:
> #0  0x48a0d954 in ?? ()
> #1  0x807fb8e in clean_parent_exit ()
> #2  0x8082231 in standalone_main ()
> #3  0x808276f in main ()
> #4  0x8051f30 in ___start ()
> 
> #0  0x48a17e6c in pthread_rwlockattr_init () from /usr/pkg/lib/libpthread.so.14
> #1  0x8081ab3 in startup_children ()
> #2  0x8081f95 in standalone_main ()
> #3  0x808276f in main ()
> #4  0x8051f30 in ___start ()
> 
> here are the packages I use around apache:
> 
> ap-php-4.2.3       ap-xslt-1.1nb3

BTW, php-4.1.2 it *not* vulnerable, there was a mistake in the vulnerability
file. Maybe try to downgrade to php-4.1.2 ? I've uploaded the binary
package to the ftp server again.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 24 ans d'experience feront toujours la difference
--