[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#301045: marked as done (apache2-common: suexec permissions aren't paranoid)



Your message dated Mon, 18 Apr 2005 03:47:17 -0400
with message-id <E1DNQyT-0003NV-00@newraff.debian.org>
and subject line Bug#301045: fixed in apache2 2.0.54-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Mar 2005 15:17:14 +0000
>From debian@frogcircus.org Wed Mar 23 07:17:13 2005
Return-path: <debian@frogcircus.org>
Received: from mail.frogcircus.org [65.98.78.36] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DE7bd-0005eF-00; Wed, 23 Mar 2005 07:17:13 -0800
Received: from localhost (localhost [127.0.0.1])
  (uid 1000)
  by mail.frogcircus.org with local; Wed, 23 Mar 2005 10:17:10 -0500
  id 0006A82D.42418876.00000A34
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Charles Fry <debian@frogcircus.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2-common: suexec permissions aren't paranoid
X-Mailer: reportbug 3.8
Date: Wed, 23 Mar 2005 10:17:10 -0500
Message-ID: <courier.42418876.00000A34@mail.frogcircus.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: apache2-common
Version: 2.0.53-5
Severity: normal

*** Please type your report below this line *** According to
http://httpd.apache.org/docs-2.0/suexec.html#install (Setting paranoid
permissions section), the suexec script should be owned by group
www-data and have 4750 permissions, as a security precaution and
"because it is best-practise in general".

Charles

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (90, 'testing'), (80, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1um
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2-common depends on:
ii  apache2-utils               2.0.53-5     utility programs for webservers
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libdb4.2                    4.2.52-18    Berkeley v4.2 Database Libraries [
ii  libexpat1                   1.95.8-1     XML parsing C library - runtime li
ii  libgcc1                     1:3.4.3-6    GCC support library
ii  libmagic1                   4.12-1       File type determination library us
ii  mime-support                3.28-1       MIME files 'mime.types' & 'mailcap
ii  net-tools                   1.60-10      The NET-3 networking toolkit
ii  openssl                     0.9.7e-2     Secure Socket Layer (SSL) binary a
ii  ssl-cert                    1.0-11       Simple debconf wrapper for openssl

-- no debconf information

---------------------------------------
Received: (at 301045-close) by bugs.debian.org; 18 Apr 2005 07:55:31 +0000
>From katie@ftp-master.debian.org Mon Apr 18 00:55:31 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DNR6R-00005L-00; Mon, 18 Apr 2005 00:55:31 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DNQyT-0003NV-00; Mon, 18 Apr 2005 03:47:17 -0400
From: Adam Conrad <adconrad@0c3.net>
To: 301045-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#301045: fixed in apache2 2.0.54-1
Message-Id: <E1DNQyT-0003NV-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 18 Apr 2005 03:47:17 -0400
Delivered-To: 301045-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: apache2
Source-Version: 2.0.54-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-common_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-common_2.0.54-1_i386.deb
apache2-common_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-common_2.0.54-1_powerpc.deb
apache2-doc_2.0.54-1_all.deb
  to pool/main/a/apache2/apache2-doc_2.0.54-1_all.deb
apache2-mpm-perchild_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-1_i386.deb
apache2-mpm-perchild_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-1_powerpc.deb
apache2-mpm-prefork_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-1_i386.deb
apache2-mpm-prefork_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-1_powerpc.deb
apache2-mpm-threadpool_2.0.54-1_all.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-1_all.deb
apache2-mpm-worker_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-1_i386.deb
apache2-mpm-worker_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-1_powerpc.deb
apache2-prefork-dev_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-1_i386.deb
apache2-prefork-dev_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-1_powerpc.deb
apache2-threaded-dev_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-1_i386.deb
apache2-threaded-dev_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-1_powerpc.deb
apache2-utils_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-1_i386.deb
apache2-utils_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-1_powerpc.deb
apache2_2.0.54-1.diff.gz
  to pool/main/a/apache2/apache2_2.0.54-1.diff.gz
apache2_2.0.54-1.dsc
  to pool/main/a/apache2/apache2_2.0.54-1.dsc
apache2_2.0.54-1_i386.deb
  to pool/main/a/apache2/apache2_2.0.54-1_i386.deb
apache2_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/apache2_2.0.54-1_powerpc.deb
apache2_2.0.54.orig.tar.gz
  to pool/main/a/apache2/apache2_2.0.54.orig.tar.gz
libapr0-dev_2.0.54-1_i386.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-1_i386.deb
libapr0-dev_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-1_powerpc.deb
libapr0_2.0.54-1_i386.deb
  to pool/main/a/apache2/libapr0_2.0.54-1_i386.deb
libapr0_2.0.54-1_powerpc.deb
  to pool/main/a/apache2/libapr0_2.0.54-1_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 301045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Apr 2005 23:10:18 -0600
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: all i386 powerpc source 
Version: 2.0.54-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 apache2    - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-worker - high speed threaded model for Apache2
 apache2-prefork-dev - development headers for apache2
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 libapr0    - the Apache Portable Runtime
 libapr0-dev - development headers for libapr
Closes: 301045 301819 305121
Changes: 
 apache2 (2.0.54-1) unstable; urgency=low
 .
   * New upstream bugfix-only release (closes: #305121)
   * Fix debian/watch file to only look at apache 2.0.x, so we stop being
     told about the 2.1 beta releases (and I'll notice new 2.0.x releases)
   * Drop o+rx permissions from suexec2; while it has code in place to
     make sure the caller is www-data, if that code should be buggy,
     filesystem permissions will help mitigate fallout (closes: #301045)
   * Update the 003_build_with_autoconf_2.5 patch to make sure both
     apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get
     weird autoconf mix-and-match FTBFS issues (closes: #301819)
Files: 
 1a4f400c7137c6c52d79f7098b6a49d2 32742 net optional apache2-mpm-threadpool_2.0.54-1_all.deb
 23204aba574a305184f180f1240e6a08 797796 net optional apache2-common_2.0.54-1_i386.deb
 23c00ea4980146e20cfa50b2f42dbdaa 205982 net optional apache2-mpm-perchild_2.0.54-1_i386.deb
 269f5b01ca36fbaadd30d6e61f5cd52a 3860622 doc optional apache2-doc_2.0.54-1_all.deb
 37d0d0a3e25ad93d37f0483021e70409 7493636 net optional apache2_2.0.54.orig.tar.gz
 3a53856bfc6f4e937055e174c4dd7b26 213898 net optional apache2-mpm-perchild_2.0.54-1_powerpc.deb
 460156a780c74021d0256fb36e391d8c 854248 net optional apache2-common_2.0.54-1_powerpc.deb
 46e9fe6170033df7276adfbd2a7179f1 32664 web optional apache2_2.0.54-1_i386.deb
 49b6dc7fb4ee1925f254ad6811c58253 258744 libdevel optional libapr0-dev_2.0.54-1_i386.deb
 4cbb0bda008efb532f7d1a91c2cde540 133498 net optional libapr0_2.0.54-1_powerpc.deb
 55d5200de836ee192e559679d3b8aaa4 205506 net optional apache2-mpm-worker_2.0.54-1_i386.deb
 5a104fa6b09b113c749fe928a4b34c07 105794 net optional apache2_2.0.54-1.diff.gz
 8196df1e48c12d83fcc15d8f42b7eac0 32668 web optional apache2_2.0.54-1_powerpc.deb
 abbe102368b27b3f8457d162fb8cb5cd 202096 net optional apache2-mpm-prefork_2.0.54-1_i386.deb
 afafd3d99b3bd3bbaeb88ed084fa4608 101232 net optional apache2-utils_2.0.54-1_powerpc.deb
 c3f3dd3d7f0e5a8b21ab7d44085e24ea 208852 net optional apache2-mpm-prefork_2.0.54-1_powerpc.deb
 d4d469462190815aa39f74c3f806cf81 166820 devel optional apache2-prefork-dev_2.0.54-1_i386.deb
 d969bd2458ea5327fb96687d39f40f6f 167600 devel optional apache2-threaded-dev_2.0.54-1_i386.deb
 da2e7fa899f8d48c0c0e9a9cbf3c68f2 212870 net optional apache2-mpm-worker_2.0.54-1_powerpc.deb
 7c5af5c12e80bfb7a59e703b9f7f39b3 1141 net optional apache2_2.0.54-1.dsc
 e6c576bac6bbd60012c0c54fef742d7c 271188 libdevel optional libapr0-dev_2.0.54-1_powerpc.deb
 e795c4dc7a219e27dd54b425d079d6da 129534 net optional libapr0_2.0.54-1_i386.deb
 fa595134a97100d458606208a55a4df7 90248 net optional apache2-utils_2.0.54-1_i386.deb
 feeb76a2bb088f083c258db13024683c 166826 devel optional apache2-prefork-dev_2.0.54-1_powerpc.deb
 ffef6a3894be590a7058b166c56a03bb 167614 devel optional apache2-threaded-dev_2.0.54-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCY2O9vjztR8bOoMkRArqQAKCuhnFVE7gOKwjQhtJebmTWRBzg0wCg5Eml
86pcvzSUpz0jIO4m0h/WpYA=
=Nsvg
-----END PGP SIGNATURE-----



Reply to: