Bug#572075: marked as done (apache2-common: standard apache2.conf is insecure with respect to Satisfy any)
Your message dated Wed, 10 Mar 2010 21:48:14 +0000
with message-id <E1NpTlG-0005bX-JT@ries.debian.org>
and subject line Bug#572075: fixed in apache2 2.2.15-2
has caused the Debian Bug report #572075,
regarding apache2-common: standard apache2.conf is insecure with respect to Satisfy any
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
572075: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572075
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny6
Severity: important
Tags: patch
The apache2.conf contains
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
If in some other part of the configuration file (e.g.
inside some virtual host configuration) the
AuthType, ... Required ... directives *and* "Satisfy any"
is used, it seems to apply to the above mentioned <Files>...
too. Thus *any* authenticated user may access the .ht* files.
I consider this as a serious security issue.
Adding "Satisfy all" to the above block would solve this and
should not harm otherwise.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.15-2
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.15-2_i386.deb
to main/a/apache2/apache2-dbg_2.2.15-2_i386.deb
apache2-doc_2.2.15-2_all.deb
to main/a/apache2/apache2-doc_2.2.15-2_all.deb
apache2-mpm-event_2.2.15-2_i386.deb
to main/a/apache2/apache2-mpm-event_2.2.15-2_i386.deb
apache2-mpm-itk_2.2.15-2_i386.deb
to main/a/apache2/apache2-mpm-itk_2.2.15-2_i386.deb
apache2-mpm-prefork_2.2.15-2_i386.deb
to main/a/apache2/apache2-mpm-prefork_2.2.15-2_i386.deb
apache2-mpm-worker_2.2.15-2_i386.deb
to main/a/apache2/apache2-mpm-worker_2.2.15-2_i386.deb
apache2-prefork-dev_2.2.15-2_i386.deb
to main/a/apache2/apache2-prefork-dev_2.2.15-2_i386.deb
apache2-suexec-custom_2.2.15-2_i386.deb
to main/a/apache2/apache2-suexec-custom_2.2.15-2_i386.deb
apache2-suexec_2.2.15-2_i386.deb
to main/a/apache2/apache2-suexec_2.2.15-2_i386.deb
apache2-threaded-dev_2.2.15-2_i386.deb
to main/a/apache2/apache2-threaded-dev_2.2.15-2_i386.deb
apache2-utils_2.2.15-2_i386.deb
to main/a/apache2/apache2-utils_2.2.15-2_i386.deb
apache2.2-bin_2.2.15-2_i386.deb
to main/a/apache2/apache2.2-bin_2.2.15-2_i386.deb
apache2.2-common_2.2.15-2_i386.deb
to main/a/apache2/apache2.2-common_2.2.15-2_i386.deb
apache2_2.2.15-2.diff.gz
to main/a/apache2/apache2_2.2.15-2.diff.gz
apache2_2.2.15-2.dsc
to main/a/apache2/apache2_2.2.15-2.dsc
apache2_2.2.15-2_i386.deb
to main/a/apache2/apache2_2.2.15-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 572075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 10 Mar 2010 21:06:06 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source all i386
Version: 2.2.15-2
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 572075 573163
Changes:
apache2 (2.2.15-2) unstable; urgency=low
.
* Make the Files ~ "^\.ht" block in apache2.conf more secure by adding
Satisfy all. Closes: #572075
* mod_reqtimeout: Various bug fixes, including:
- Don't mess up timeouts of mod_proxy's backend connections.
Closes: #573163
Checksums-Sha1:
1c0e4b0fdda59f6454c982e5e3317f4d2034f098 1796 apache2_2.2.15-2.dsc
40308f3dce3ccedfd8b111d3c34fd5cfc110894b 199426 apache2_2.2.15-2.diff.gz
7a6fb39904d85c5fc6c40dc3a3a64e2474d55e61 2299598 apache2-doc_2.2.15-2_all.deb
fd29ab6073bf86dbee6c77a6beb303b06f0ef986 302988 apache2.2-common_2.2.15-2_i386.deb
5fea795926769961005a6009253bd00039326191 1321134 apache2.2-bin_2.2.15-2_i386.deb
3b464a0df690b38f682db3e4e6da40ae9cd01bef 2272 apache2-mpm-worker_2.2.15-2_i386.deb
6483d69e5d3137fffbbadfb31b49ba48e8501e20 2332 apache2-mpm-prefork_2.2.15-2_i386.deb
f51b47b249d7c356abf49e13562c734ea650834d 2300 apache2-mpm-event_2.2.15-2_i386.deb
e691fe220a39e699db758a1150bdd62ee834747a 2332 apache2-mpm-itk_2.2.15-2_i386.deb
0e8a671dc4cefbde72a025434acb73259dfd9f68 158646 apache2-utils_2.2.15-2_i386.deb
497d9a9916b9590446a5aa62eedfa949869c7a2e 96052 apache2-suexec_2.2.15-2_i386.deb
64c947a80cb7b29bc181e77912785a1482bff566 97624 apache2-suexec-custom_2.2.15-2_i386.deb
86d37fd8606029137554056bfd800935b9a3aaab 1382 apache2_2.2.15-2_i386.deb
1ddfbfe5932680359877232d67d95f19a08cf852 137184 apache2-prefork-dev_2.2.15-2_i386.deb
947b346f2f2d01e88718ca699161a9e5848baf7d 138326 apache2-threaded-dev_2.2.15-2_i386.deb
f21bd72905d1bd6d8ced5350edbbd724964a37c6 2684522 apache2-dbg_2.2.15-2_i386.deb
Checksums-Sha256:
9eb68bf364fe4347b6b256279cf78e24a0a71ea6a128443b2f99ffeddd71d509 1796 apache2_2.2.15-2.dsc
b87c4b15af3d41123514ca2e9dcca544cf1222cc235b1e41b8064657780369ae 199426 apache2_2.2.15-2.diff.gz
9a62184ae25058ba6525a8c84f625f8f8ebee312d87e8b2118e5ce94a6ad887c 2299598 apache2-doc_2.2.15-2_all.deb
5eed383353f1ac2ba96659764c4c38328efb6399d1d52df864306a01fa58fe5d 302988 apache2.2-common_2.2.15-2_i386.deb
a8d0e132258153db8b79facf077b0f14c5de0c9d246570800a28d0247415fe3b 1321134 apache2.2-bin_2.2.15-2_i386.deb
2f3f054939b6de5b8f0949072445ecbe494d9d278bfb21fd1db398bf231f5250 2272 apache2-mpm-worker_2.2.15-2_i386.deb
ace34039f89a308c4e9866c167a33c7fd17e5eeee6decd19df39111f65562539 2332 apache2-mpm-prefork_2.2.15-2_i386.deb
2ee549bcd65e7fe8fe313e01aa56a7606b65cc09143ddd397e06e36272eeff1e 2300 apache2-mpm-event_2.2.15-2_i386.deb
289bfe36566ac53cd655ff86b64083278407dd2ebad49fffec4d3fd864a4c90c 2332 apache2-mpm-itk_2.2.15-2_i386.deb
9ffee9fe100f031da2458aad58cbe8708d8cf55a88b4b1b828c65c54ca4b5e36 158646 apache2-utils_2.2.15-2_i386.deb
01f887be35ed370f7f5f7a2926c2bb9826ff3282f3a718517a7801f2da0c7fce 96052 apache2-suexec_2.2.15-2_i386.deb
487549d987022e28b61f3690ec9f8a3cd29c32d4e31ab030f131f31a63dbdffe 97624 apache2-suexec-custom_2.2.15-2_i386.deb
e24eab850153011df91feb74b74874b41059ee00541aedf03deee5ff8dfeeb52 1382 apache2_2.2.15-2_i386.deb
f0e0bc91e0c881aa4527924b3a8d13c75a569c568bbf7e599a81743d5761c33a 137184 apache2-prefork-dev_2.2.15-2_i386.deb
988d39217507768655f378ce599aed4f737c3ac060bb0a473ef07b667955d932 138326 apache2-threaded-dev_2.2.15-2_i386.deb
a3835662ea480d183edc36c5af2d30cb2452d6e2263089c42c1e42ba53be8a71 2684522 apache2-dbg_2.2.15-2_i386.deb
Files:
53dfa531312b9f75c9d4325606212f65 1796 httpd optional apache2_2.2.15-2.dsc
13c74acdcd9e2355de7b360e077ea056 199426 httpd optional apache2_2.2.15-2.diff.gz
2f0f857b5022002a6cd5d45a99a60404 2299598 doc optional apache2-doc_2.2.15-2_all.deb
b9ff008e58236a3d724930892fd95aea 302988 httpd optional apache2.2-common_2.2.15-2_i386.deb
d7c7c3d0eee6b2fcfedba05f79aef815 1321134 httpd optional apache2.2-bin_2.2.15-2_i386.deb
43ac960ea1a91dfc59b3c27b0d8c15e8 2272 httpd optional apache2-mpm-worker_2.2.15-2_i386.deb
1fdf1c4dfa9a82c0cb12b45fddbcd75b 2332 httpd optional apache2-mpm-prefork_2.2.15-2_i386.deb
9a0272887cb1aec1c0b5565e617de9d8 2300 httpd optional apache2-mpm-event_2.2.15-2_i386.deb
b6af2d86b8a230ef7e24f63d44ddd45e 2332 httpd extra apache2-mpm-itk_2.2.15-2_i386.deb
da88c10afd4e2ce943c705f4eb6a989b 158646 httpd optional apache2-utils_2.2.15-2_i386.deb
4edc6dc310886a813ba133ebf8ff6d32 96052 httpd optional apache2-suexec_2.2.15-2_i386.deb
a0072fedfdeabda4c53fd05e3fdb4100 97624 httpd extra apache2-suexec-custom_2.2.15-2_i386.deb
0c16ae337d5d3b9a5386fb3522c70a95 1382 httpd optional apache2_2.2.15-2_i386.deb
816f534d8a295fb30dfaf2619424fc63 137184 httpd extra apache2-prefork-dev_2.2.15-2_i386.deb
b3ae5fa096041f6c5249879776ec1c43 138326 httpd extra apache2-threaded-dev_2.2.15-2_i386.deb
ec9cf97f90fb34ed74df0bf8ae137d63 2684522 debug extra apache2-dbg_2.2.15-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLl/30bxelr8HyTqQRAkyOAJ9bn8KbQgN1RwEuzCPU4R5J7boZngCePB4E
dw2KDabvcwq2vcV+T3qcXo4=
=0eMV
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: