Re: about DSA-2452-1 apache2 -- insecure default configuration
On Wed, 18 Apr 2012 18:24:34 +0200, Vincent Lefevre wrote:
> On 2012-04-17 15:39:48 +0000, Camaleón wrote:
>> On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote:
>> > IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be
>> > active (at least concerning the scripting features) by default unless
>> > this is explicitly told with some "Options" for the concerned
>> > directory.
>> I can be wrong but the bug seems aimed to correct the package which
>> contains the file that enables the alias by default, hence the apache2
> But the user isn't necessarily the administrator. If the admin installs
> mod_php, making the bug appear if the user has added a symlink to
> /usr/share/doc, that's very bad.
Sure, but in such case the user (who is in charge of the "alias" for
their domains) will have to manually make the required corrections and
the same goes for the vhosts. There are times when a global solution
can't be applied and this seems to be one of that situations.