(In reply to Eric Schirra from comment #4) > This is no security risc, because with root:root you can not use this plugin. > Apache must have write rights to save and generate keys. > With root:root apache can not do this. Are you sure? The vulnerability is about remote attackers reading confidential files due to them being web readable and in the web tree, which is the case here.