Bug#341022: marked as done (default apache2.conf file should deny access to /)

To: Stefan Fritsch <sf@debian.org>
Subject: Bug#341022: marked as done (default apache2.conf file should deny access to /)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 15 Apr 2012 19:21:03 +0000
Message-id: <[🔎] handler.341022.D341022.133451746319928.ackdone@bugs.debian.org>
References: <E1SJUx3-0000Vp-Gw@franck.debian.org> <20051127202103.1E75919CDD@localhost.localdomain>

Your message dated Sun, 15 Apr 2012 19:17:33 +0000
with message-id <E1SJUx3-0000Vp-Gw@franck.debian.org>
and subject line Bug#341022: fixed in apache2 2.4.2-1
has caused the Debian Bug report #341022,
regarding default apache2.conf file should deny access to /
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
341022: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341022
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: default apache2.conf file should deny access to /
From: Ritesh Raj Sarraf <rrs@researchut.com>
Date: Mon, 28 Nov 2005 01:51:02 +0530
Message-id: <20051127202103.1E75919CDD@localhost.localdomain>

Package: apache2
Version: 2.0.54-5
Severity: important
Tags: patch


The default configuration file, apache2.conf, of apache2 should have the
following directory denying directive in apache2.conf instead of the
000-default VirtualHost because if a VirtualHost is added and under that
VirtualHost's DocumentRoot the user makes a symlink to "/", he can
access the whole filesystem.

Config lines to be added to /etc/apache2/apache2.conf:

<Directory />
        Order Deny,Allow
	Deny from all
</Directory>


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-custom-skas3-v8.2
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.0.54-5   high speed threaded model for Apac

apache2 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 341022-close@bugs.debian.org
Subject: Bug#341022: fixed in apache2 2.4.2-1
From: Stefan Fritsch <sf@debian.org>
Date: Sun, 15 Apr 2012 19:17:33 +0000
Message-id: <E1SJUx3-0000Vp-Gw@franck.debian.org>

Source: apache2
Source-Version: 2.4.2-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-bin_2.4.2-1_i386.deb
  to main/a/apache2/apache2-bin_2.4.2-1_i386.deb
apache2-data_2.4.2-1_all.deb
  to main/a/apache2/apache2-data_2.4.2-1_all.deb
apache2-dbg_2.4.2-1_i386.deb
  to main/a/apache2/apache2-dbg_2.4.2-1_i386.deb
apache2-dev_2.4.2-1_i386.deb
  to main/a/apache2/apache2-dev_2.4.2-1_i386.deb
apache2-doc_2.4.2-1_all.deb
  to main/a/apache2/apache2-doc_2.4.2-1_all.deb
apache2-mpm-event_2.4.2-1_i386.deb
  to main/a/apache2/apache2-mpm-event_2.4.2-1_i386.deb
apache2-mpm-itk_2.4.2-1_i386.deb
  to main/a/apache2/apache2-mpm-itk_2.4.2-1_i386.deb
apache2-mpm-prefork_2.4.2-1_i386.deb
  to main/a/apache2/apache2-mpm-prefork_2.4.2-1_i386.deb
apache2-mpm-worker_2.4.2-1_i386.deb
  to main/a/apache2/apache2-mpm-worker_2.4.2-1_i386.deb
apache2-suexec-custom_2.4.2-1_i386.deb
  to main/a/apache2/apache2-suexec-custom_2.4.2-1_i386.deb
apache2-suexec-pristine_2.4.2-1_i386.deb
  to main/a/apache2/apache2-suexec-pristine_2.4.2-1_i386.deb
apache2-suexec_2.4.2-1_i386.deb
  to main/a/apache2/apache2-suexec_2.4.2-1_i386.deb
apache2-utils_2.4.2-1_i386.deb
  to main/a/apache2/apache2-utils_2.4.2-1_i386.deb
apache2.2-bin_2.4.2-1_i386.deb
  to main/a/apache2/apache2.2-bin_2.4.2-1_i386.deb
apache2_2.4.2-1.debian.tar.gz
  to main/a/apache2/apache2_2.4.2-1.debian.tar.gz
apache2_2.4.2-1.dsc
  to main/a/apache2/apache2_2.4.2-1.dsc
apache2_2.4.2-1_i386.deb
  to main/a/apache2/apache2_2.4.2-1_i386.deb
apache2_2.4.2.orig.tar.bz2
  to main/a/apache2/apache2_2.4.2.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 341022@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Apr 2012 20:50:28 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source i386 all
Version: 2.4.2-1
Distribution: experimental
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (binary files and modules)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
Closes: 341022 548213 589638 649020 666875
Changes: 
 apache2 (2.4.2-1) experimental; urgency=low
 .
   * New upstream release
 .
   [ Arno Töll ]
   * Drop update-alternative call in postrm. Our prerm script catches them
     already anyway.
   * Update my mail address.
   * Fix "dh_apache2 does not set "x" bits on /usr/lib/apache2/modules/"
     Set directory permissions to 755 by default (Closes: #666875). Thanks Axel
     Beckert for the hint.
   * Add /usr/share/doc/apache2/migrate-sites.pl, a script to assist users to
     give sites a .conf suffix, add a hint to the NEWS file.
   * Do stateful configuration handling by remembering who enabled when a
     particular piece of configuration. That way in can be told under which
     circumstances for example modules should be re-enabled. Thanks to Filip M.
     Nowak who was providing a patch where my changes are built upon.
   * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
     to override LDFLAGS at compile time by defining LDLAGS in the environment,
     just like it is possible for CFLAGS. This also means, config_vars.mk now
     exports hardening build flags by default.
   * Provide the virtual packages httpd and httpd-cgi again.
 .
 .
   [ Stefan Fritsch ]
   * Change default config to deny access to / in the file system and only
     allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
   * Disable MultiViews in the default config.
   * Update ssl default cipher config, add alternative speed optimized config.
     Closes: #649020
   * Move the configuration of /usr/lib/cgi-bin into a separate config file.
     Closes: #589638
   * Comment out per-vhost loglevel.
   * Add section to security.conf that shows how to forbid access to VCS
     directories. Closes: #548213
   * Change the compiled in default of DocumentRoot to /var/www by updating
     fhs_compliance.patch
   * Re-add mpm_itk (version 2.4.1-pre01). This is still very experimental!
Checksums-Sha1: 
 8c826d96840b894c26121e084dca78c7ec1d74c3 2296 apache2_2.4.2-1.dsc
 8d391db515edfb6623c0c7c6ce5c1b2e1f7c64c2 4132105 apache2_2.4.2.orig.tar.bz2
 beedc77078523d833ac8011b0164528d98ae7c6c 174477 apache2_2.4.2-1.debian.tar.gz
 68503542cdca6cb18307598911b0a667d13f6767 178836 apache2_2.4.2-1_i386.deb
 a7e3eb3910de4fab260a2e0257bc4fd66a7f056e 131062 apache2-data_2.4.2-1_all.deb
 0b4e7020c6382a7150d440ac54f72869978814de 1267742 apache2-bin_2.4.2-1_i386.deb
 6268a4f4ffcb383e7c1cef500bf50da78c99b631 796 apache2-mpm-worker_2.4.2-1_i386.deb
 307ef213edb7c192b2fadfc30f8cfd4e4c09dc71 796 apache2-mpm-prefork_2.4.2-1_i386.deb
 7b80e6135449fcf6200063728aa681a39d913542 796 apache2-mpm-event_2.4.2-1_i386.deb
 2961b0098f1fab7a5ec89b3231352e8f28b84bae 95144 apache2-mpm-itk_2.4.2-1_i386.deb
 7fcc1e2495eb0b38f5d0232e48a58fcc97effc3c 95148 apache2.2-bin_2.4.2-1_i386.deb
 430064ba89952a7f3f9a8911910efcf41db22768 187548 apache2-utils_2.4.2-1_i386.deb
 84f0f20673750323d5278884915d37ca79f4d05c 796 apache2-suexec_2.4.2-1_i386.deb
 a3d15f94f037dce56f06b093242960377f2252ea 103084 apache2-suexec-pristine_2.4.2-1_i386.deb
 38c452f960027ce689baf5cb99067905ad24f54d 104806 apache2-suexec-custom_2.4.2-1_i386.deb
 6916ef4641663078626b5cf334da094ad30afa6f 3246158 apache2-doc_2.4.2-1_all.deb
 125d870a38b91682d0819a6a75cd09dc1200b22b 186370 apache2-dev_2.4.2-1_i386.deb
 43e07d749e3c35a2732693478af7df754942af18 2487524 apache2-dbg_2.4.2-1_i386.deb
Checksums-Sha256: 
 87535789624ca254b055f24473d1f0d94e203065a09fd601cb2d79ae5bf6e5c3 2296 apache2_2.4.2-1.dsc
 5382f9c507d3d02706e33d6308ea041f39e8511b5948aef0ca188df8f90159b8 4132105 apache2_2.4.2.orig.tar.bz2
 5b141e23c4478398ab8184c3a570c1306349882072239635b7b7ffac1217505b 174477 apache2_2.4.2-1.debian.tar.gz
 580b78ef05a3a16e9347b030af47262ef6087f564e6688fed389858a3cde43f2 178836 apache2_2.4.2-1_i386.deb
 0249c63cc443c2aaaf41344c40841ef00a5b8eb9809095f14e9d6c67a8fa8a48 131062 apache2-data_2.4.2-1_all.deb
 ef1df0c667f7200422d49fe9cb45ae5c927ebb48c81fbea28ab632435dde5142 1267742 apache2-bin_2.4.2-1_i386.deb
 f9a6593763f8e80668cfdb116a0d94d1f3f33b23980c91e7372d751b4375eb45 796 apache2-mpm-worker_2.4.2-1_i386.deb
 227acedd21deee534e95720aa3fde09ce8aacac7a72cf9023b00b76b19fcc3f1 796 apache2-mpm-prefork_2.4.2-1_i386.deb
 5100541eef68fc09ac401fdb44b686eeb0cb2048a3ad1369e51606bab53b13bf 796 apache2-mpm-event_2.4.2-1_i386.deb
 01376466539b0e3447b9ae01580f9ed42f477e0cb5a2bd4fe0e78567922eabc5 95144 apache2-mpm-itk_2.4.2-1_i386.deb
 50b55965b3d18ab71368bb168e77e1caa41eba04f616e6f0354cf2fe031626cd 95148 apache2.2-bin_2.4.2-1_i386.deb
 c9024759e8208c67e1b04dbdea4c1a12f0d1b87a10833bf07fc429767cfd6bc8 187548 apache2-utils_2.4.2-1_i386.deb
 d0ce5c109b973611b33da243f88e057af4669f11d89f431815c74ebd1d3cd65e 796 apache2-suexec_2.4.2-1_i386.deb
 5021e884c66177f359cb6e21bcd53312919ae2d9bc2128a59233c70002bb615c 103084 apache2-suexec-pristine_2.4.2-1_i386.deb
 63874b29bbca82676d665e059d9ba0f18ed63e1c7762c829dbf28e552f70a414 104806 apache2-suexec-custom_2.4.2-1_i386.deb
 92252f5451e24d0360fc3ade878268a071fb7f0f04f5c7c02bcef8a8e4516248 3246158 apache2-doc_2.4.2-1_all.deb
 14c8094c81cc7acb9ba6b5b0d8d32b612996d8f98cd1960162a526426a7315be 186370 apache2-dev_2.4.2-1_i386.deb
 1a696a704c71682d5c57271d608fc88ce5b96d464af944e6042cdaf3faa2d125 2487524 apache2-dbg_2.4.2-1_i386.deb
Files: 
 da463c8ea1c23ececc19a6f06ff5109a 2296 httpd optional apache2_2.4.2-1.dsc
 6bb12f726e22656f0ad2baf91f1f8329 4132105 httpd optional apache2_2.4.2.orig.tar.bz2
 8cf42158cf8dfa830fc444dd8513d46a 174477 httpd optional apache2_2.4.2-1.debian.tar.gz
 9c2011c42b2b06b0b6971510f957a9b4 178836 httpd optional apache2_2.4.2-1_i386.deb
 44434c8c31eb859f6b27f80c1f4fdc32 131062 httpd optional apache2-data_2.4.2-1_all.deb
 bfbff14d2d261912e667e2024dd432d3 1267742 httpd optional apache2-bin_2.4.2-1_i386.deb
 926d8d164459f1e84b8cec5fc0dc9d7d 796 oldlibs extra apache2-mpm-worker_2.4.2-1_i386.deb
 6537b4807383ac420560bafcb68a564b 796 oldlibs extra apache2-mpm-prefork_2.4.2-1_i386.deb
 4f7c7c183deb9357bd52e61251257128 796 oldlibs extra apache2-mpm-event_2.4.2-1_i386.deb
 4ea730c6895dff58528c247f62c82089 95144 oldlibs extra apache2-mpm-itk_2.4.2-1_i386.deb
 48af2114685243a1b9c4514353063513 95148 oldlibs extra apache2.2-bin_2.4.2-1_i386.deb
 9f8b4ebbf54fe76b7b48149969f7a426 187548 httpd optional apache2-utils_2.4.2-1_i386.deb
 97259892aa28251fcb0713366b5281d9 796 oldlibs extra apache2-suexec_2.4.2-1_i386.deb
 7f7e91e6a519dce4721da4d037bbd935 103084 httpd optional apache2-suexec-pristine_2.4.2-1_i386.deb
 251be8d26e76e7c5f8a5db431b8f0574 104806 httpd extra apache2-suexec-custom_2.4.2-1_i386.deb
 e0cc935c5c0bc44099d1e74c9b4a19af 3246158 doc optional apache2-doc_2.4.2-1_all.deb
 b541a83bd433be9cf1ef348c54348ee9 186370 httpd optional apache2-dev_2.4.2-1_i386.deb
 1beaa651ce8711832699975ae343df4d 2487524 debug extra apache2-dbg_2.4.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFPixsubxelr8HyTqQRArw4AKCUZQpkyKxY5KRrFtrga8efwKFuvwCfcEx0
JA5P1yxR5j8CkH7I3obBpXw=
=kyM4
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Re: Changing the default document root for HTTP server
Next by Date: Bug#548213: marked as done (Apache should protect .svn directories)
Previous by thread: Bug#668858: apache2: doesn't use UTF-8 by default
Next by thread: Bug#548213: marked as done (Apache should protect .svn directories)
Index(es):
- Date
- Thread