[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#543577: marked as done (apache2: `TraceEnable off` does not disable HTTP TRACE method.)

Your message dated Sat, 29 Aug 2009 11:28:10 +0200
with message-id <87d46fdl5h.fsf@qurzaw.linpro.no>
and subject line Re: Bug#543577:
has caused the Debian Bug report #543577,
regarding apache2: `TraceEnable off` does not disable HTTP TRACE method.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

543577: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543577
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: grave
Tags: security
Justification: user security hole

Adding `TraceEnable Off` to /etc/apache2/apache2.conf doest not disbable HTTP
TRACE on the server. 

I also tried enabling mod_rewrite and using that method to disable HTTP Trace
and that did not work either. The only software we are running on this server is
WeBWork, an online math homework system. More information about WeBWork is
avaliable at "http://webwork.math.rochester.edu/";. I don't know if it is what is
causing the problem, but due to the program being in heavy use at the moment, I
can't shut it down to see.

The following is my /etc/apache2/apache2.conf file:
   |  ServerRoot "/etc/apache2"
   |  LockFile /var/lock/apache2/accept.lock
   |  PidFile ${APACHE_PID_FILE}
   |  TraceEnable Off
   |  Timeout 1200
   |  KeepAlive On
   |  MaxKeepAliveRequests 100
   |  KeepAliveTimeout 15
   |  <IfModule mpm_prefork_module>
   |      StartServers          5
   |      MinSpareServers       5
   |      MaxSpareServers      10
   |      MaxClients           40
   |      MaxRequestsPerChild 100
   |  </IfModule>
   |  <IfModule mpm_worker_module>
   |      StartServers          2
   |      MaxClients          150
   |      MinSpareThreads      25
   |      MaxSpareThreads      75 
   |      ThreadsPerChild      25
   |      MaxRequestsPerChild   0
   |  </IfModule>
   |  User ${APACHE_RUN_USER}
   |  Group ${APACHE_RUN_GROUP}
   |  AccessFileName .htaccess
   |  <Files ~ "^\.ht">
   |      Order allow,deny
   |      Deny from all
   |  </Files>
   |  DefaultType text/plain
   |  HostnameLookups Off
   |  ErrorLog /var/log/apache2/error.log
   |  LogLevel warn
   |  Include /etc/apache2/mods-enabled/*.load
   |  Include /etc/apache2/mods-enabled/*.conf
   |  Include /etc/apache2/httpd.conf
   |  Include /etc/apache2/ports.conf
   |  Include /etc/apache2/conf.d/
   |  LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
   |  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
   |  LogFormat "%h %l %u %t \"%r\" %>s %b" common
   |  LogFormat "%{Referer}i -> %U" referer
   |  LogFormat "%{User-agent}i" agent
   |  ServerTokens Prod
   |  CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
   |  ServerSignature Off
   |  Include /etc/apache2/sites-enabled/

If you need any more information please email me: almendez@csupomona.edu

Thank you for your time!

~Anthony Mendez

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias apreq auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env info mime
  negotiation perl rewrite setenvif status

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny4      utility programs for webservers
ii  libapr1             1.2.12-5+lenny1      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:    compression library - runtime

-- no debconf information

--- End Message ---
--- Begin Message ---
]] "Anthony L. Mendez" 

| >Look into
| >/etc/apache2/conf.d/security
| >Maybe there is another 'TraceEnable on' there?
| This was exactly what I was needing. Sorry for any time wasted on this. The bug can be closed.

Ok, closing this bug, then.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

--- End Message ---

Reply to: