diff -urNp -x '*.orig' apache_1.3.42.org/src/support/suexec.c apache_1.3.42/src/support/suexec.c
--- apache_1.3.42.org/src/support/suexec.c	2006-07-12 10:16:05.000000000 +0200
+++ apache_1.3.42/src/support/suexec.c	2023-02-02 22:42:51.499834914 +0100
@@ -49,6 +49,10 @@
 
 #include <stdarg.h>
 
+/* for fcntl(fileno(log), F_SETFD, FD_CLOEXEC); */
+#include <unistd.h>
+#include <fcntl.h>
+
 #include "suexec.h"
 
 /*
@@ -148,6 +152,8 @@ static void err_output(const char *fmt,
 	    perror("fopen");
 	    exit(1);
 	}
+	/* Set the close-on-exec flag -- Liyang HU <liyang@nerv.cx> */
+	fcntl(fileno(log), F_SETFD, FD_CLOEXEC);
     }
 
     time(&timevar);
@@ -568,20 +574,6 @@ int main(int argc, char *argv[])
     umask(SUEXEC_UMASK);
 #endif /* SUEXEC_UMASK */
 
-    /* 
-     * Be sure to close the log file so the CGI can't
-     * mess with it.  If the exec fails, it will be reopened 
-     * automatically when log_err is called.  Note that the log
-     * might not actually be open if LOG_EXEC isn't defined.
-     * However, the "log" cell isn't ifdef'd so let's be defensive
-     * and assume someone might have done something with it
-     * outside an ifdef'd LOG_EXEC block.
-     */
-    if (log != NULL) {
-	fclose(log);
-	log = NULL;
-    }
-
     /*
      * Execute the command, replacing our image with its own.
      */