Re: about DSA-2452-1 apache2 -- insecure default configuration

[Vincent Lefevre <vincent@vinc17.net>]

On 2012-04-19 15:08:55 +0000, Camaleón wrote:
> On Wed, 18 Apr 2012 18:24:34 +0200, Vincent Lefevre wrote:
> > On 2012-04-17 15:39:48 +0000, Camaleón wrote:
> >> On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote:
> >> > IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be
> >> > active (at least concerning the scripting features) by default unless
> >> > this is explicitly told with some "Options" for the concerned
> >> > directory.
> >> 
> >> I can be wrong but the bug seems aimed to correct the package which
> >> contains the file that enables the alias by default, hence the apache2
> >> package.
> > 
> > But the user isn't necessarily the administrator. If the admin installs
> > mod_php, making the bug appear if the user has added a symlink to
> > /usr/share/doc, that's very bad.
> 
> Sure, but in such case the user (who is in charge of the "alias" for 
> their domains) will have to manually make the required corrections and 
> the same goes for the vhosts.

Except that if the user doesn't do this, the same security problem
will occur.

> There are times when a global solution can't be applied and this
> seems to be one of that situations.

There is a better solution: to fix mod_php and mod_rivet.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)