Bug#1114729: apache2 delivers .php files uninterpreted in clear during apt dist-upgrade
Package: apache2
Version: 2.4.65-2
Severity: critical
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I have an Debian server with Apache which is serving various PHP applications
* What exactly did you do (or not do) that was effective (or
ineffective)?
I start apt dist-upgrade which updated apache2 to a newer version
* What was the outcome of this action?
During the run of apt dist-upgrade, apache suddenly delivered the .php files uninterpreted in cleartext to the clients, revealing any secrets, database connection strings, passwords, API keys, ... to the user requesting the page.
After apt dist-upgrade was complete, apache correctly interpreted the .php files again
* What outcome did you expect instead?
I would have expected apache2 to not leak the .php sourcecodes, to either correctly interpret .php files during the migration, or to have apache2 stopped during the migration if that is not possible.
I have sent this report to the Debian Security Team first, and they told me to file a public report instead.
-- Package-specific info:
-- System Information:
Debian Release: 13.1
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-28-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.65-2
ii apache2-data 2.4.65-2
ii apache2-utils 2.4.65-2
ii init-system-helpers 1.69~deb13u1
ii media-types 13.0.0
ii perl 5.40.1-6
ii procps 2:4.0.4-9
Versions of packages apache2 recommends:
ii ssl-cert 1.1.3
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii lynx [www-browser] 2.9.2-1
pn ufw <none>
Versions of packages apache2-bin depends on:
ii libapr1t64 1.7.5-1
ii libaprutil1-dbd-sqlite3 1.6.3-3+b1
ii libaprutil1-ldap 1.6.3-3+b1
ii libaprutil1t64 1.6.3-3+b1
ii libbrotli1 1.1.0-2+b7
ii libc6 2.41-12
ii libcrypt1 1:4.4.38-1
ii libcurl4t64 8.14.1-2
ii libjansson4 2.14-2+b3
ii libldap2 2.6.10+dfsg-1
ii liblua5.4-0 5.4.7-1+b2
ii libnghttp2-14 1.64.0-1.1
ii libpcre2-8-0 10.46-1~deb13u1
ii libssl3t64 3.5.1-1
ii libxml2 2.12.7+dfsg+really2.9.14-2.1+deb13u1
ii perl 5.40.1-6
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii lynx [www-browser] 2.9.2-1
Versions of packages apache2 is related to:
ii apache2 2.4.65-2
ii apache2-bin 2.4.65-2
-- Configuration Files:
/etc/apache2/apache2.conf changed:
ServerRoot "/etc/apache2"
PidFile /var/run/apache2/apache2.pid
DefaultRuntimeDir /var/run/apache2/
Timeout 3000
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
Mutex file:/var/lock/apache2 default
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User www-data
Group www-data
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/ports.conf
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
Include /etc/apache2/conf.d/
Include /etc/apache2/sites-enabled/
TraceEnable Off
ServerTokens Prod
/etc/apache2/conf-available/charset.conf changed:
AddDefaultCharset UTF-8
/etc/apache2/conf-available/security.conf changed:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
RedirectMatch 404 /\.git
RedirectMatch 404 /\.svn
/etc/apache2/mods-available/cgid.conf changed:
ScriptSock /var/run/apache2/cgisock
/etc/apache2/mods-available/dav.load changed:
<IfModule !mod_dav.c>
LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
</IfModule>
/etc/apache2/mods-available/ssl.conf changed:
<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLHonorCipherOrder On
SSLCompression off
SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</IfModule>
/etc/apache2/ports.conf changed:
Listen 80
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
/etc/logrotate.d/apache2 changed:
/var/log/apache2/*.log {
daily
missingok
rotate 1400
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then
run-parts /etc/logrotate.d/httpd-prerotate
fi
endscript
postrotate
if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate
fi
endscript
}
-- no debconf information
Reply to: