--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package plinth/19.1
- From: James Valleroy <jvalleroy@mailbox.org>
- Date: Sat, 26 Sep 2020 22:38:24 -0400
- Message-id: <160117430422.211994.6459150672336889956.reportbug@compbook.jvalleroy.me>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jvalleroy@mailbox.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This update proposes to fix security tracker issue CVE-2020-25073,
where a remote attackers could obtain sensitive information from the
/server-status page of the Apache HTTP Server, because a connection
from the Tor onion service (or from PageKite) is considered a local
connection.
This issue also exists in stretch.
If the update is not approved, then users who enable Tor onion service
or Pagekite risk the apache server logs being publicly visible through
the onion address or kite URL.
To test, you would need to install freedombox package, click through
the initial setup, install Tor through the FreedomBox interface, and
then check if /server-status can be accessed through Tor browser using
the onion address displayed in the interface.
The change has already been applied in unstable, testing, and
buster-backports, and has been confirmed to solve the problem. The
change modifies the initial setup of apache web server so that
mod_status is disabled.
FreedomBox software does encourage use of backports, so I expect
nearly all users already have the fix. However, it is still good to
have it properly fixed in buster.
Please let know if you need any more information.
Thanks,
James
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEEfWrbdQ+RCFWJSEvmd8DHXntlCAgFAl9v+x8WHGp2YWxsZXJv
eUBtYWlsYm94Lm9yZwAKCRB3wMdee2UICHLQD/oC5eSNW31WHHPQkAefjKzpHojN
qFqb73JtgGaXquHo5REeNEQvrNO2b0AMOdYNBJPIEkPQu42ffznLggbleP1soapw
K/R7UjESVkXmNNDdzgAbjUy9YpdGLM0nNCG72wY2cuQse9nLIRZa3gPQ8+4MxizR
zInnTz7uAkcyd6J2RRF2h6GF0qvAfFWc0gniDtBdJQc2oNcHQsf3Nl81e91THrSm
Law5SrDeu/1wjH+OWZcPnyBrq0abA+V6kDFYjprzM9dnjRnln5ONOUvOdfMeJ8aa
BSWXfKcMZPyOtKZAFQ4lAQTIZivoZWS1TZjI7fLMKydT4Vda3fvwLYtULxDXorp1
Q5uxN4VwV4rF1I/OhaJeAV702emMLEdZ104OwegG2+ND6JqUlgYHPViA2xMIHzI4
DanaeIqHjd8oDYTClq5rgHGZgqbc7bMr0rbGxB8iSrJAqP0AXFMc8RiZVVZXLsEf
aqawiwU02Whq4VxWPLP4rOB1m84LB1YYZ4/fkqjjWcvfWyfK+hASGZYp8k7npP/S
Lia+g5Ibx3/b9PXdEg0Opn92SJcVbp9JDirx4PdRPd9/80qirBuDOkA3oHrog/X/
sO9IKRXfWxzuN4PDEv4Fn6tpZeqEbTlY6mBvWaxEdNhhizOOrUuvzIuPbz143aaw
tA9xT532YZqFuymT8Q==
=Nhun
-----END PGP SIGNATURE-----
diff -Nru plinth-19.1/actions/apache plinth-19.1+deb10u1/actions/apache
--- plinth-19.1/actions/apache 2019-02-14 06:01:19.000000000 -0500
+++ plinth-19.1+deb10u1/actions/apache 2020-09-21 21:40:22.000000000 -0400
@@ -122,6 +122,9 @@
webserver.enable('proxy_fcgi', kind='module')
webserver.enable('rewrite', kind='module')
+ # Disable /server-status page to avoid leaking private info.
+ webserver.disable('status', kind='module')
+
# switch to mod_ssl from mod_gnutls
webserver.disable('gnutls', kind='module')
webserver.enable('ssl', kind='module')
diff -Nru plinth-19.1/debian/changelog plinth-19.1+deb10u1/debian/changelog
--- plinth-19.1/debian/changelog 2019-02-14 06:01:19.000000000 -0500
+++ plinth-19.1+deb10u1/debian/changelog 2020-09-21 21:40:22.000000000 -0400
@@ -1,3 +1,9 @@
+plinth (19.1+deb10u1) buster; urgency=medium
+
+ * apache: Disable mod_status (CVE-2020-25073)
+
+ -- James Valleroy <jvalleroy@mailbox.org> Mon, 21 Sep 2020 21:40:22 -0400
+
plinth (19.1) unstable; urgency=medium
[ James Valleroy ]
--- End Message ---