[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#776385: apache2: Wheezy default security options dont work, please fix

Package: apache2.2-common
Version: 2.2.22-13+deb7u4
Severity: important

Dear Maintainer,

*** Please consider answering these questions, where appropriate ***

   * What led up to the situation? while checking my apache headers through : http://cyh.herokuapp.com/cyh 
     I noticed none are working.. sinds debian stands for security and stability, im wondering why this is not working. 
   * What exactly did you do (or not do) that was effective (or
     ineffective)? i did create a new security file in /etc/apache2/conf.d/security-custom
    added the following content as recommended by above website mentioned. : 
    Header set X-Frame-Options: "sameorigin"
    Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains"
    Header set X-Content-Type-Options: "nosniff"
    Header set Content-Type "text/html;charset=utf-8"
    Header set X-XSS-Protection: "1; mode=block"
    Header set Cache-Control: "no-cache, no-store, must-revalidate"
    Header set Pragma: "no-cache
    Header set Expires: "-1"
    Header set X-Permitted-Cross-Domain-Policies "master-only"
    Header set Content-Security-Policy "Content-Security-Policy-Report-Only"

   * What was the outcome of this action? None of these worked
   * What outcome did you expect instead? that at least the lines worked as stated in /etc/apache2/conf.d/security
    Header set X-Content-Type-Options: "nosniff"
    Header set X-Frame-Options: "sameorigin"
    Header set X-XSS-Protection: "1; mode=block"

    Please fix this for debian wheezy, so we can set a more secure apache.


*** End of the template - remove these lines ***

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires headers
  mime negotiation php5 proxy_http proxy reqtimeout rewrite security2
  setenvif ssl status unique_id
List of enabled php5 extensions:
  imap mapi pdo

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork  2.2.22-13+deb7u4
ii  apache2.2-common     2.2.22-13+deb7u4

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils  2.2.22-13+deb7u4
ii  apache2.2-bin  2.2.22-13+deb7u4
ii  lsb-base       4.1+Debian8+deb7u1
ii  mime-support   3.52-1+deb7u1
ii  perl           5.14.2-21+deb7u2
ii  procps         1:3.3.3-3

Versions of packages apache2.2-common recommends:
ii  ssl-cert  1.0.32

Versions of packages apache2.2-common suggests:
pn  apache2-doc                             <none>
pn  apache2-suexec | apache2-suexec-custom  <none>
ii  w3m [www-browser]                       0.5.3-8

-- no debconf information

Reply to: