Bug#548213: marked as done (Apache should protect .svn directories)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 29 May 2012 21:18:31 +0000
with message-id <E1SZToF-0003HE-Uy@franck.debian.org>
and subject line Bug#548213: fixed in apache2 2.2.22-6
has caused the Debian Bug report #548213,
regarding Apache should protect .svn directories
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
548213: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548213
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Apache should protect .svn directories
• From: Dmitry Katsubo <dma_k@mail.ru>
• Date: Thu, 24 Sep 2009 17:01:25 +0200
• Message-id: <4ABB89C5.6040904@mail.ru>

Package: apache2.2-common
Version: 2.2.13-1

Usually during Web development when site is checked out from SVN
repository, .svn folder contains site sources, which can be accessed
from the Web in raw form (e.g. http://site.com/dir/.svn/entries). That
can be a potential security hole.

Solution:

Include the following configuration into apache /etc/apache2/apache2.conf:

<Directory ~ ".*\.svn">
    Order allow,deny
    Deny from all
</Directory>


With best regards,
Dmitry

--- End Message ---

--- Begin Message ---

• To: 548213-close@bugs.debian.org
• Subject: Bug#548213: fixed in apache2 2.2.22-6
• From: Stefan Fritsch <sf@debian.org>
• Date: Tue, 29 May 2012 21:18:31 +0000
• Message-id: <E1SZToF-0003HE-Uy@franck.debian.org>

Source: apache2
Source-Version: 2.2.22-6

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.22-6_i386.deb
  to main/a/apache2/apache2-dbg_2.2.22-6_i386.deb
apache2-doc_2.2.22-6_all.deb
  to main/a/apache2/apache2-doc_2.2.22-6_all.deb
apache2-mpm-event_2.2.22-6_i386.deb
  to main/a/apache2/apache2-mpm-event_2.2.22-6_i386.deb
apache2-mpm-itk_2.2.22-6_i386.deb
  to main/a/apache2/apache2-mpm-itk_2.2.22-6_i386.deb
apache2-mpm-prefork_2.2.22-6_i386.deb
  to main/a/apache2/apache2-mpm-prefork_2.2.22-6_i386.deb
apache2-mpm-worker_2.2.22-6_i386.deb
  to main/a/apache2/apache2-mpm-worker_2.2.22-6_i386.deb
apache2-prefork-dev_2.2.22-6_i386.deb
  to main/a/apache2/apache2-prefork-dev_2.2.22-6_i386.deb
apache2-suexec-custom_2.2.22-6_i386.deb
  to main/a/apache2/apache2-suexec-custom_2.2.22-6_i386.deb
apache2-suexec_2.2.22-6_i386.deb
  to main/a/apache2/apache2-suexec_2.2.22-6_i386.deb
apache2-threaded-dev_2.2.22-6_i386.deb
  to main/a/apache2/apache2-threaded-dev_2.2.22-6_i386.deb
apache2-utils_2.2.22-6_i386.deb
  to main/a/apache2/apache2-utils_2.2.22-6_i386.deb
apache2.2-bin_2.2.22-6_i386.deb
  to main/a/apache2/apache2.2-bin_2.2.22-6_i386.deb
apache2.2-common_2.2.22-6_i386.deb
  to main/a/apache2/apache2.2-common_2.2.22-6_i386.deb
apache2_2.2.22-6.debian.tar.gz
  to main/a/apache2/apache2_2.2.22-6.debian.tar.gz
apache2_2.2.22-6.dsc
  to main/a/apache2/apache2_2.2.22-6.dsc
apache2_2.2.22-6_i386.deb
  to main/a/apache2/apache2_2.2.22-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548213@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 May 2012 22:05:48 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source i386 all
Version: 2.2.22-6
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 402567 548213 649020 671204
Changes: 
 apache2 (2.2.22-6) unstable; urgency=low
 .
   [ Stefan Fritsch ]
   * Fix regression causing apache2 to cache "206 partial content" responses,
     and then serving these partial responses when replying to normal requests.
     Closes: #671204
   * Add section to security.conf that shows how to forbid access to VCS
     directories. Closes: #548213
   * Update ssl default cipher config, add alternative speed optimized config.
     Closes: #649020
   * Add "AddCharset" for .brf files in default mod_mime config.
     Closes: #402567
   * Don't create httpd.conf anymore and don't include it in apache2.conf. If
     it contains local modifications, move it to /etc/apache2/conf.d/httpd.conf
   * Port some of the comments in apache2.conf from the 2.4 package.
   * Compile mod_version statically, drop associated module load file.
   * If apache2 is not running, make "/etc/init.d/apache2 reload" skip the
     configtest.
   * Note in README.Debian that future versions of the package will have the
     include statements changed to include only *.conf.
   * Change compiled-in document root to /var/www, to avoid strange error
     messages.
   * Use "dh --with autotools_dev" instead of patching config.sub/config.guess.
 .
   [ Arno Töll ]
   * Fix apxs to import LDFLAGS from config_vars.mk. Moreover, make it possible
     to override LDFLAGS at compile time by defining LDLAGS in the environment,
     just like it is possible for CFLAGS. This also means, config_vars.mk now
     exports hardening build flags by default.
   * Update doc-base metadata for the apache2-doc package.
Checksums-Sha1: 
 d1cda59c190783d743934934d6eca324b5583358 2235 apache2_2.2.22-6.dsc
 eff7ec01bf38a5c6dd570f229c8b0d68a6df098e 190255 apache2_2.2.22-6.debian.tar.gz
 4a9c6897ac7738d18062670ea142c762cf94fdc9 318280 apache2.2-common_2.2.22-6_i386.deb
 0f919f38453f2bb144a37d6a05b47eda545d0d4d 1459210 apache2.2-bin_2.2.22-6_i386.deb
 b5c536cbb5f67676f7a2507a19552050a208e274 2186 apache2-mpm-worker_2.2.22-6_i386.deb
 4eafcd2c94a56cfa9179f92efc3cb2ac4973e694 2290 apache2-mpm-prefork_2.2.22-6_i386.deb
 bea10be99f3d0e2e7d30c1a1a6853403caee0ce4 2254 apache2-mpm-event_2.2.22-6_i386.deb
 361b3d0095d058e426b161ab6c2a3333e8a90f96 2280 apache2-mpm-itk_2.2.22-6_i386.deb
 798e7449567018d1ad0c9847b7495b5e8e8dfce9 176300 apache2-utils_2.2.22-6_i386.deb
 4c8e1fbfd02f21591ac46c07607aea6c6a8832e5 106440 apache2-suexec_2.2.22-6_i386.deb
 c61578c8d2b1d42846037cbf13a0c74dcdea33c0 108088 apache2-suexec-custom_2.2.22-6_i386.deb
 18b872d223432a1a9e4bc66ed58efd28fad1da3e 1384 apache2_2.2.22-6_i386.deb
 c67d536ad34a521a9940fee457efee79a7260f60 2704316 apache2-doc_2.2.22-6_all.deb
 4d392570052b27b476ae995627012a9e10fd544f 137958 apache2-prefork-dev_2.2.22-6_i386.deb
 53e9032a1492a3437c4594869e893f2da8d0a3fd 139120 apache2-threaded-dev_2.2.22-6_i386.deb
 1488f356d4717f3281b0afdf9d9b93e8d4e7ea9a 3502788 apache2-dbg_2.2.22-6_i386.deb
Checksums-Sha256: 
 f42840ecb6b8affcaf7503a099fced05a4ca0b1d04d8198c90550fe8a3ac7cb7 2235 apache2_2.2.22-6.dsc
 3122ad4da301013ec9b50c0930814ce1d45d88193e4639d77e23cff701cd9324 190255 apache2_2.2.22-6.debian.tar.gz
 ea506bdc892bba5c0f341277dabe1f8c808ff02b279c2d81ce2a8424a363450b 318280 apache2.2-common_2.2.22-6_i386.deb
 c8f3428bcee4b5c20ee9792b93763f6ff7bf56a312108774b538f824037ebebd 1459210 apache2.2-bin_2.2.22-6_i386.deb
 682324745a2018906ae82486a14b9d2a99c70de7cc4d36ef8476bfa5caa2cbdd 2186 apache2-mpm-worker_2.2.22-6_i386.deb
 a4126db870487bed9e7dcf0d9510661566ddb4148c7206941ae566084aeec023 2290 apache2-mpm-prefork_2.2.22-6_i386.deb
 226bbcbb4d11400a5c7d6df5a5d94a0a67a26b2be0f3b05091ab93b5a028961b 2254 apache2-mpm-event_2.2.22-6_i386.deb
 1ca4e8e95399cf094296ef196dd5cce9b7d71f6f51838ee7fafb557bcda5c7dc 2280 apache2-mpm-itk_2.2.22-6_i386.deb
 3a6666e70d30fc187f6ba633859c94a50a46d767fa0041b73d5d374d27c1a836 176300 apache2-utils_2.2.22-6_i386.deb
 00eeed0990f0dabf992f94d36fc44ac5dea82db6d10cc1bb68b3e5206a6947e2 106440 apache2-suexec_2.2.22-6_i386.deb
 85a3505fec469c997642d9f137eb4c3c4843afea7153a4d8d5f27b5d48e113c4 108088 apache2-suexec-custom_2.2.22-6_i386.deb
 2185717ca3b88f507cead936aeaa669ce0f7448206e92d0ffdf1ca6eff43781a 1384 apache2_2.2.22-6_i386.deb
 3bd028373790fed1cb21a61a7364c8c198580750d6d92e2ff50e4dad3463733a 2704316 apache2-doc_2.2.22-6_all.deb
 75a9d07c0c5b06427e447fe01c2da8ac66380d8de20f47abc51c07942b72bcc5 137958 apache2-prefork-dev_2.2.22-6_i386.deb
 cd9c2086892b69e6fcd15110c114e5b04bd6cfa25c96e5e5e49c9975013f8c75 139120 apache2-threaded-dev_2.2.22-6_i386.deb
 a9093458f49d72251e14b9975b1f9eae9a77c884dcffe35f4d65dd0032883f53 3502788 apache2-dbg_2.2.22-6_i386.deb
Files: 
 738527d208322f55a9a59807e1807290 2235 httpd optional apache2_2.2.22-6.dsc
 daf2a598f30024dae3a210d704f31b2c 190255 httpd optional apache2_2.2.22-6.debian.tar.gz
 041bc88e63c2ff5cd84e8312077f5df7 318280 httpd optional apache2.2-common_2.2.22-6_i386.deb
 495a70c7b684c703df6f4cc4a4035ad1 1459210 httpd optional apache2.2-bin_2.2.22-6_i386.deb
 1b3a02dd1f27ebddf1a06d29eb3c8398 2186 httpd optional apache2-mpm-worker_2.2.22-6_i386.deb
 5d00d1ddd636e915e51a070c416514b7 2290 httpd optional apache2-mpm-prefork_2.2.22-6_i386.deb
 d0e18c957424568baec797e3e2033d89 2254 httpd optional apache2-mpm-event_2.2.22-6_i386.deb
 41d9da3cf6c10302ab390cc790259629 2280 httpd extra apache2-mpm-itk_2.2.22-6_i386.deb
 f0dcf602d2f151a57f623a45bace52da 176300 httpd optional apache2-utils_2.2.22-6_i386.deb
 36d4bf09604f98cb0f22c67853ee2d89 106440 httpd optional apache2-suexec_2.2.22-6_i386.deb
 342d33cc8a51df4280e00b7bd4ed63ac 108088 httpd extra apache2-suexec-custom_2.2.22-6_i386.deb
 bbaa73d9591c1b318af26b66e59eb990 1384 httpd optional apache2_2.2.22-6_i386.deb
 3486667493777c3009d9bdb0664093e0 2704316 doc optional apache2-doc_2.2.22-6_all.deb
 c23b0e66de510fae1d9cb463eefaaff3 137958 httpd extra apache2-prefork-dev_2.2.22-6_i386.deb
 29e068676e4722f69b9923081939cbb4 139120 httpd extra apache2-threaded-dev_2.2.22-6_i386.deb
 d9e066d0cd8f146c53c1d7ea146471d7 3502788 debug extra apache2-dbg_2.2.22-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFPxS/ybxelr8HyTqQRAlvBAJ0eusY/gvhl8nZb+XXAWT10Y5o0RgCg3sB5
+pdK7SIRS1n92EFDfrNhdFE=
=W7d1
-----END PGP SIGNATURE-----

--- End Message ---