Re: about DSA-2452-1 apache2 -- insecure default configuration
On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote:
> There has been the following change in apache2:
>
> apache2 (2.2.22-4) unstable; urgency=high
>
> * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default
> virtual
(...)
> More information on:
>
> http://www.debian.org/security/2012/dsa-2452.en.html
>
> However, what if some user has a symlink to /usr/share/doc in his
> public_html? I haven't tried, but it seems that the bug would still
> occur (otherwise the right solution wouldn't have been to remove the
> alias, but to change how the scripting modules can affect some paths).
The additional information for the updaters encourage users to review
another configuration files that can be also affected:
***
This updates removes the problematic configuration sections from the
files /etc/apache2/sites-available/default and .../default-ssl. When
upgrading, you should not blindly allow dpkg to replace those files,
though. Rather you should merge the changes, namely the removal of the
"Alias /doc "/usr/share/doc"" line and the related "<Directory "/usr/
share/doc/"$gt;" block, into your versions of these config files. You may
also want to check if you have copied these sections to any additional
virtual host configurations.
***
So at a first glance, I'd also say the bug can be present regardless the
location of the hosted files but the DSA only addresses the default
template config.
> IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be active
> (at least concerning the scripting features) by default unless this is
> explicitly told with some "Options" for the concerned directory.
I can be wrong but the bug seems aimed to correct the package which
contains the file that enables the alias by default, hence the apache2
package.
Greetings,
--
Camaleón
Reply to: