1 files changed, 0 insertions, 100 deletions
diff --git a/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
deleted file mode 100644
index f90d09191dee..000000000000
--- a/metadata/news/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt
+++ /dev/null
@@ -1,100 +0,0 @@
-Title: Apache AddHandler/AddType exploit protection
-Author: Sebastian Pipping <sping@gentoo.org>
-Content-Type: text/plain
-Posted: 2015-04-06
-Revision: 2
-News-Item-Format: 1.0
-Display-If-Installed: www-servers/apache
-
-Apache's directives AddHandler [1] and AddType [2] can be used
-to map certain file name extensions (e.g. .php) to a handler
-(e.g. application/x-httpd-php).  While a line like
-
-  AddHandler application/x-httpd-php .php .php5 .phtml
-     ^^^^^^^
-matches index.php, it also matches index.php.png.
-With
-
-  AddType application/x-httpd-php .php .php5 .phtml
-     ^^^^
-index.php.png is not executed, but index.php.disabled still is.
-
-
-Apache's notes on multiple file extensions [3] document
-a multi-language website as a context where that behavior
-may be helpful.  Unfortunately, it can also be a security threat.
-
-Combined with (not just PHP) applications that support
-file upload, the AddHandler/AddType directive can get you into
-remote code execution situations.
-
-That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
-and is shipping
-
-  <FilesMatch "\.(php|php5|phtml)$">
-    SetHandler application/x-httpd-php
-  </FilesMatch>
-
-instead.
-
-
-Why this news entry?
-
- * Since Apache configuration lives below /etc,
-   you need to run etc-update (or a substitute)
-   to actually have related fixes applied.
-   To get them into the running instance of Apache,
-   you need to make it reload its configuration, e.g.
-
-     sudo /etc/init.d/apache2 reload
-
- * If you are currently relying on AddHandler to execute
-   secret_database_stuff.php.inc, moving away from AddHandler
-   could result in serving your database credentials in plain
-   text.  A command like
-
-     find /var/www/ -name '*.php.*' \
-                 -o -name '*.php5.*' \
-                 -o -name '*.phtml.*'
-
-   may help discovering PHP files that would no longer be executed.
-
-   Shipping automatic protection for this scenario is not trivial,
-   but you could manually install protection based on this recipe:
-
-     <FilesMatch "\.(php|php5|phtml|phps)\.">
-       # a) Apache 2.2 / Apache 2.4 + mod_access_compat
-       #Order Deny,Allow
-       #Deny from all
-
-       # b) Apache 2.4 + mod_authz_core
-       #Require all denied
-
-       # c) Apache 2.x + mod_rewrite
-       #RewriteEngine on
-       #RewriteRule .* - [R=404,L]
-     </FilesMatch>
-
- * You may be using AddHandler or AddType in other places,
-   including off-package files.  Please have a look.
-
- * app-eselect/eselect-php is not the only package affected.
-   There is a dedicated tracker bug at [4].
-   As of the moment, affected packages include:
-
-     app-eselect/eselect-php[apache2]
-     net-nds/gosa-core
-     www-apache/mod_fastcgi
-     www-apache/mod_flvx
-     www-apache/mod_python
-     www-apache/mod_suphp
-     www-apps/moinmoin
-     www-apps/rt[-lighttpd]
-
-
-Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.
-
-[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler
-[2] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
-[3] https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
-[4] https://bugs.gentoo.org/show_bug.cgi?id=544560