[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [d-security] Re: [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities

On Tue, Jul 27, 2004 at 01:42:19PM +0200, Christian Hammers wrote:
> > In my case, the frontend handles SSL connections. Its config file is 
> > /etc/apache/ht-light.conf.
> > The backend instance uses the original filename /etc/apache/httpd.conf.
> > The frontend is already bound to port 443. The backend tried to restart, 
> > but now has a load mod_ssl line, and can't start. And now our 
> > application won't run...
> Oh, come on, if you "apt-get install" the Apache SSL module then you
> really can expect it to actually get installed in the httpd.conf :-)
> (Otherwise hundrets of normal users would complain that SSL does not 
> work although they "installed" it. So at least in my opinion the
> behaviour is ok as special configs will always need attention)

The packaging system *can* differentiate between an upgrade and a fresh
installation.  It's reasonable for the package to do this kind of thing
on a fresh installation, but not on an upgrade.  This should be a bug in
the package in question.  I'm somewhat surprised that the package in
question is allowed to do what it does at all, considering the working
in section 10.7.4 of the Debian policy document:

"The maintainer scripts must not alter a conffile of any package,
including the one the scripts belong to."

Additionally, from section 10.7.3:
"local changes must be preserved during a package upgrade..."

So I don't really know how the libapache-mod-ssl package gets away with
what it's doing at all.


Attachment: pgp0ypojt8zsW.pgp
Description: PGP signature

Reply to: