Your message dated Tue, 27 Jan 2015 17:15:44 +0000 with message-id <54C7C7C0.2020103@nirgal.com> and subject line Re: Wheezy default security options dont work, please fix has caused the Debian Bug report #776385, regarding apache2: Wheezy default security options dont work, please fix to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 776385: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776385 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: Wheezy default security options dont work, please fix
- From: Louis <louis@van-belle.nl>
- Date: Tue, 27 Jan 2015 15:52:38 +0100
- Message-id: <[🔎] 20150127145238.6500.32593.reportbug@core.van-belle.com>
Package: apache2.2-common Version: 2.2.22-13+deb7u4 Severity: important Dear Maintainer, *** Please consider answering these questions, where appropriate *** * What led up to the situation? while checking my apache headers through : http://cyh.herokuapp.com/cyh I noticed none are working.. sinds debian stands for security and stability, im wondering why this is not working. * What exactly did you do (or not do) that was effective (or ineffective)? i did create a new security file in /etc/apache2/conf.d/security-custom added the following content as recommended by above website mentioned. : Header set X-Frame-Options: "sameorigin" Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains" Header set X-Content-Type-Options: "nosniff" Header set Content-Type "text/html;charset=utf-8" Header set X-XSS-Protection: "1; mode=block" Header set Cache-Control: "no-cache, no-store, must-revalidate" Header set Pragma: "no-cache Header set Expires: "-1" Header set X-Permitted-Cross-Domain-Policies "master-only" Header set Content-Security-Policy "Content-Security-Policy-Report-Only" * What was the outcome of this action? None of these worked * What outcome did you expect instead? that at least the lines worked as stated in /etc/apache2/conf.d/security Header set X-Content-Type-Options: "nosniff" Header set X-Frame-Options: "sameorigin" Header set X-XSS-Protection: "1; mode=block" Please fix this for debian wheezy, so we can set a more secure apache. thanks. *** End of the template - remove these lines *** -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env expires headers mime negotiation php5 proxy_http proxy reqtimeout rewrite security2 setenvif ssl status unique_id List of enabled php5 extensions: imap mapi pdo -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.2.22-13+deb7u4 ii apache2.2-common 2.2.22-13+deb7u4 apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.22-13+deb7u4 ii apache2.2-bin 2.2.22-13+deb7u4 ii lsb-base 4.1+Debian8+deb7u1 ii mime-support 3.52-1+deb7u1 ii perl 5.14.2-21+deb7u2 ii procps 1:3.3.3-3 Versions of packages apache2.2-common recommends: ii ssl-cert 1.0.32 Versions of packages apache2.2-common suggests: pn apache2-doc <none> pn apache2-suexec | apache2-suexec-custom <none> ii w3m [www-browser] 0.5.3-8 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 776385-done@bugs.debian.org
- Subject: Re: Wheezy default security options dont work, please fix
- From: Jean-Michel Nirgal Vourgère <jmv_deb@nirgal.com>
- Date: Tue, 27 Jan 2015 17:15:44 +0000
- Message-id: <54C7C7C0.2020103@nirgal.com>
Closing the report, then. Louis van Belle wrote: > Please remove this bug report. This was my own error. Mod-security > was doing its work... I noticed that in the mod-security debug.log > that all the needed headers where set. > I retested without mod-security enabled and all was ok.. Sorry for > this report..Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---