[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#776385: marked as done (apache2: Wheezy default security options dont work, please fix)

Your message dated Tue, 27 Jan 2015 17:15:44 +0000
with message-id <54C7C7C0.2020103@nirgal.com>
and subject line Re: Wheezy default security options dont work, please fix
has caused the Debian Bug report #776385,
regarding apache2: Wheezy default security options dont work, please fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

776385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776385
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.22-13+deb7u4
Severity: important

Dear Maintainer,

*** Please consider answering these questions, where appropriate ***

   * What led up to the situation? while checking my apache headers through : http://cyh.herokuapp.com/cyh 
     I noticed none are working.. sinds debian stands for security and stability, im wondering why this is not working. 
   * What exactly did you do (or not do) that was effective (or
     ineffective)? i did create a new security file in /etc/apache2/conf.d/security-custom
    added the following content as recommended by above website mentioned. : 
    Header set X-Frame-Options: "sameorigin"
    Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains"
    Header set X-Content-Type-Options: "nosniff"
    Header set Content-Type "text/html;charset=utf-8"
    Header set X-XSS-Protection: "1; mode=block"
    Header set Cache-Control: "no-cache, no-store, must-revalidate"
    Header set Pragma: "no-cache
    Header set Expires: "-1"
    Header set X-Permitted-Cross-Domain-Policies "master-only"
    Header set Content-Security-Policy "Content-Security-Policy-Report-Only"

   * What was the outcome of this action? None of these worked
   * What outcome did you expect instead? that at least the lines worked as stated in /etc/apache2/conf.d/security
    Header set X-Content-Type-Options: "nosniff"
    Header set X-Frame-Options: "sameorigin"
    Header set X-XSS-Protection: "1; mode=block"

    Please fix this for debian wheezy, so we can set a more secure apache.


*** End of the template - remove these lines ***

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires headers
  mime negotiation php5 proxy_http proxy reqtimeout rewrite security2
  setenvif ssl status unique_id
List of enabled php5 extensions:
  imap mapi pdo

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork  2.2.22-13+deb7u4
ii  apache2.2-common     2.2.22-13+deb7u4

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils  2.2.22-13+deb7u4
ii  apache2.2-bin  2.2.22-13+deb7u4
ii  lsb-base       4.1+Debian8+deb7u1
ii  mime-support   3.52-1+deb7u1
ii  perl           5.14.2-21+deb7u2
ii  procps         1:3.3.3-3

Versions of packages apache2.2-common recommends:
ii  ssl-cert  1.0.32

Versions of packages apache2.2-common suggests:
pn  apache2-doc                             <none>
pn  apache2-suexec | apache2-suexec-custom  <none>
ii  w3m [www-browser]                       0.5.3-8

-- no debconf information

--- End Message ---
--- Begin Message ---
Closing the report, then.

Louis van Belle wrote:
> Please remove this bug report. This was my own error. Mod-security
> was doing its work... I noticed that in the mod-security debug.log
> that all the needed headers where set.
> I retested without mod-security enabled and all was ok.. Sorry for
> this report..

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to: