Bug#162395: marked as done (apache: /doc world readable on upgraded current stable)
Your message dated Mon, 06 Oct 2003 12:32:20 -0400
with message-id <E1A6YHU-0003eB-00@auric.debian.org>
and subject line Bug#162395: fixed in apache 1.3.28-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Sep 2002 08:09:29 +0000
>From era@there.afraid.org Thu Sep 26 03:09:29 2002
Return-path: <era@there.afraid.org>
Received: from rhols66.adsl.netsonic.fi (there.afraid.org) [194.29.198.66]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17uTiC-0003QG-00; Thu, 26 Sep 2002 03:09:28 -0500
Received: from era by there.afraid.org with local (Exim 3.35 #1 (Debian))
id 17uTiA-0005LC-00
for <submit@bugs.debian.org>; Thu, 26 Sep 2002 11:09:26 +0300
From: era eriksson <era@iki.fi>
Subject: apache: /doc world readable on upgraded current stable
To: submit@bugs.debian.org
X-Mailer: bug 3.3.10.1
X-Debbugs-Cc: era+debian@iki.fi
Message-Id: <E17uTiA-0005LC-00@there.afraid.org>
Sender: era eriksson <era@there.afraid.org>
Date: Thu, 26 Sep 2002 11:09:26 +0300
Delivered-To: submit@bugs.debian.org
Cc: security@debian.org
Package: apache
Version: 1.3.26-0woody1
Severity: grave
I found that /etc/apache/access.conf on my system had a bug which
would allow anybody to access /doc on my server. While this is
apparently fixed in newer versions of Apache (the current package
seems to have a completely empty access.conf and a reasonable default
for /doc in httpd.conf), the hole will apparently remain on any
installation where Apache has merely been upgraded from an earlier
version which had this bug.
The configuration file access.conf would include a section which
supposedly would restrict access to /doc, but the path name is wrong,
and so the permissions are not being applied at all, resulting in
access to anybody anywhere to the /doc directory. Since this will
effectively let anybody find exactly what packages are installed on
the system, and exactly what their versions are, this could be used by
an attacker to easily locate a package with a known security hole on
vulnerable systems.
The quick fix is to patch access.conf to correct the wrong path:
--- /etc/apache/access.conf~ Thu Mar 28 15:43:34 2002
+++ /etc/apache/access.conf Thu Sep 26 10:52:17 2002
@@ -67,7 +67,7 @@
# Debian Policy assumes /usr/doc is "/doc/", at least from the localhost.
-<Directory /usr/doc>
+<Directory /usr/share/doc>
Options Indexes FollowSymLinks
AllowOverride None
order deny,allow
Longer term, I would hope that the preinst script would check for this
problem in "preinst upgrade" and offer to simply replace the entire
configuration if the old configuration files are unchanged, and
otherwise run through an installation dialog, or at least display a
warning with an explanation of this problem.
Since this bug has security implications, I'm taking the liberty to
set the severity to "grave" and Cc:ing this to security@debian.org (if
I can remember how to coerce bug(1) to do that; otherwise I'll resend
under separate cover).
/* era */
-- System Information
Debian Release: 3.0
Kernel Version: Linux there.afraid.org 2.2.17 #1 Sun Jun 25 09:24:41 EST 2000 i586 unknown
Versions of the packages apache depends on:
ii apache-common 1.3.26-0woody1 Support files for all Apache webservers
ii dpkg 1.9.21 Package maintenance system for Debian
ii libc6 2.2.5-11.1 GNU C Library: Shared libraries and Timezone
ii libdb2 2.7.7.0-7 The Berkeley database routines (run-time fil
ii libexpat1 1.95.2-6 XML parsing C library - runtime library
ii logrotate 3.5.9-8 Log rotation utility
ii mime-support 3.18-1 MIME files 'mime.types' & 'mailcap', and sup
ii perl 5.6.1-7 Larry Wall's Practical Extraction and Report
ii perl 5.6.1-7 Larry Wall's Practical Extraction and Report
^^^ (Provides virtual package perl5)
---------------------------------------
Received: (at 162395-close) by bugs.debian.org; 6 Oct 2003 16:39:01 +0000
>From katie@auric.debian.org Mon Oct 06 11:39:01 2003
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1A6YNw-0007bf-00; Mon, 06 Oct 2003 11:39:00 -0500
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
id 1A6YHU-0003eB-00; Mon, 06 Oct 2003 12:32:20 -0400
From: fabbione@fabbione.net (Fabio M. Di Nitto)
To: 162395-close@bugs.debian.org
X-Katie: $Revision: 1.37 $
Subject: Bug#162395: fixed in apache 1.3.28-1
Message-Id: <E1A6YHU-0003eB-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Mon, 06 Oct 2003 12:32:20 -0400
Delivered-To: 162395-close@bugs.debian.org
Source: apache
Source-Version: 1.3.28-1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.28-1_i386.deb
to pool/main/a/apache/apache-common_1.3.28-1_i386.deb
apache-dev_1.3.28-1_i386.deb
to pool/main/a/apache/apache-dev_1.3.28-1_i386.deb
apache-doc_1.3.28-1_all.deb
to pool/main/a/apache/apache-doc_1.3.28-1_all.deb
apache-perl_1.3.28-1_i386.deb
to pool/main/a/apache/apache-perl_1.3.28-1_i386.deb
apache-ssl_1.3.28-1_i386.deb
to pool/main/a/apache/apache-ssl_1.3.28-1_i386.deb
apache_1.3.28-1.diff.gz
to pool/main/a/apache/apache_1.3.28-1.diff.gz
apache_1.3.28-1.dsc
to pool/main/a/apache/apache_1.3.28-1.dsc
apache_1.3.28-1_i386.deb
to pool/main/a/apache/apache_1.3.28-1_i386.deb
apache_1.3.28.orig.tar.gz
to pool/main/a/apache/apache_1.3.28.orig.tar.gz
libapache-mod-perl_1.28-1_i386.deb
to pool/main/a/apache/libapache-mod-perl_1.28-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 162395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <fabbione@fabbione.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 06 Oct 2003 07:58:37 +0200
Source: apache
Binary: libapache-mod-perl apache-perl apache-ssl apache apache-common apache-doc apache-dev
Architecture: source i386 all
Version: 1.3.28-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <fabbione@fabbione.net>
Description:
apache - Versatile, high-performance HTTP server
apache-common - Support files for all Apache webservers
apache-dev - Apache webserver development kit
apache-doc - Apache webserver docs
apache-perl - Versatile, high-performance HTTP server with Perl support
apache-ssl - Versatile, high-performance HTTP server with SSL support
libapache-mod-perl - Integration of perl with the Apache web server
Closes: 68978 90107 132060 136972 137541 141344 144964 146749 150543 150625 150646 150711 155750 158194 158391 158391 162395 173775 176083 182429 184366 197990 200511 205887 207453 208054 208842 209276 210041 211872 212812 213397 213411 213414 213575 213613 213815 213974 214052
Changes:
apache (1.3.28-1) unstable; urgency=low
.
* (Thom May)
- Remove 016_fix_ia64_segfault
* (Fabio M. Di Nitto)
- New upstream releases (Closes: #210041)
- libapache-mod-perl switched to use modules-config
- No more attempts to fix users config will be done.
Changes that should be done will be only suggested.
(Closes: #205887, #136972, #162395)
- Fixed mod_bandwith paths (Closes: #213815, #182429, #146749)
- Got rid of /etc/apache{-perl,-ssl}/apache_not_to_be_run in favour
of debconf.
- Got rid of apacheconfig* in favour of modules-config and debconf
(Closes: #207453, #209276, #68978, #90107, #132060, #158391, #173775)
(Closes: #141344, #144964, #150543, #150625, #150711, #150646, #197990)
(Closes: #155750, #158194, #158391, #176083, #184366, #137541, #208054)
Thanks Joey H. it wouldn't be possible without you
- Recompiled with new perl 5.8.1
(Closes: #213397, #213411, #213414, #213575, #213613, #213974, #214052)
- Cleaned apache-ssl.preinst (Closes: #212812)
- Added AES support to apache-ssl (Closes: #211872)
- Removed mod_fastcgi from apache-contrib source. It is non-free
- Fixed apache{-ssl,-perl]}.config to check correct suexec path
(Closes: #200511, #208842)
- Removed ssl-certificate
- I must thank here Brian "laotse" Knox for his support during
this release cycle that avoided me a couple of tons of RTFM ;).
Files:
829fc2d42aaa26249d950a55a862776d 982 web optional apache_1.3.28-1.dsc
bce9eca0f7f6b5c0772531578e56ffce 3016289 web optional apache_1.3.28.orig.tar.gz
fba1ddf5300bd03761d0d23bf9aaf772 413479 web optional apache_1.3.28-1.diff.gz
3b9b33d06f4c8e93a2dafdb711ed284c 1099534 doc optional apache-doc_1.3.28-1_all.deb
7473fca1c1e380560c9ee738fbe917f2 357380 web optional apache_1.3.28-1_i386.deb
10a299a04e810f4446cc45bd5f943391 404194 web optional apache-ssl_1.3.28-1_i386.deb
9a710abbc406bc7a88330acd153e30f1 472044 web extra apache-perl_1.3.28-1_i386.deb
ea268c8d07530d3ac30c9be4888318c2 1661192 devel extra apache-dev_1.3.28-1_i386.deb
9acb6d8379f6727a5a194c4589245943 835944 web optional apache-common_1.3.28-1_i386.deb
c715d276b5fbd1236bfbc301b3621c02 470820 web optional libapache-mod-perl_1.28-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/gZI9hCzbekR3nhgRArxMAJ9Y/w//pm9Tvdo3BIvSiv8sxjE+owCfc6qw
U2dlpMFJ0IpCKK/MLPWpOoE=
=p7PG
-----END PGP SIGNATURE-----
Reply to: