Bug#1080079: apache2: Upgrade from Debian 11 to 12 seems to have enabled serve-cgi-bin.conf (security risk)
Package: apache2
Version: 2.4.61-1~deb12u1
Severity: important
Dear Maintainer,
I recently upgraded from Bullseye to Bookworm. Afterwards, I noticed
that CGI scripts were active on the default host.
I investigated it and found that the upgrade seemed to have re-enabled
config-available/serve-cgi-bin.conf which I had intentionally disabled
previously, because I didn't want to have CGI enabled globally, but
rather enable it on a virtual host basis.
This created a risk because now CGI scripts could be invoked thru the
default host with no access restrictions.
I believe there should be a mechanism that allows admins to
permanently block certain config fragments, without Debian package
config/upgrade mechanism interfering and re-enabling it.
(I hope I'm not missing anything, I re-checked all default config
files before posting this report. I chose not to include my modified
config files, as they contain confidential info.)
Thank you.
Kind regards,
Ralf
-- Package-specific info:
-- System Information:
Debian Release: 12.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-23-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.61-1~deb12u1
ii apache2-data 2.4.61-1~deb12u1
ii apache2-utils 2.4.61-1~deb12u1
ii init-system-helpers 1.65.2
ii lsb-base 11.6
ii media-types 10.0.0
ii perl 5.36.0-7+deb12u1
ii procps 2:4.0.2-3
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages apache2 recommends:
pn ssl-cert <none>
Versions of packages apache2 suggests:
ii apache2-doc 2.4.61-1~deb12u1
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.7.2-3
ii libaprutil1 1.6.3-1
ii libaprutil1-dbd-sqlite3 1.6.3-1
ii libaprutil1-ldap 1.6.3-1
ii libbrotli1 1.0.9-2+b6
ii libc6 2.36-9+deb12u7
ii libcrypt1 1:4.4.33-2
ii libcurl4 7.88.1-10+deb12u6
ii libjansson4 2.14-2
ii libldap-2.5-0 2.5.13+dfsg-5
ii liblua5.3-0 5.3.6-2
ii libnghttp2-14 1.52.0-1+deb12u1
ii libpcre2-8-0 10.42-1
ii libssl3 3.0.13-1~deb12u1
ii libxml2 2.9.14+dfsg-1.3~deb12u1
ii perl 5.36.0-7+deb12u1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages apache2-bin suggests:
ii apache2-doc 2.4.61-1~deb12u1
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.61-1~deb12u1
ii apache2-bin 2.4.61-1~deb12u1
-- Configuration Files:
/etc/apache2/conf-available/security.conf changed [not included]
/etc/apache2/mods-available/ssl.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
/etc/logrotate.d/apache2 changed [not included]
-- no debconf information
Reply to: