[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote:

> There has been the following change in apache2:
> apache2 (2.2.22-4) unstable; urgency=high
>   * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default
>   virtual


> More information on:
>   http://www.debian.org/security/2012/dsa-2452.en.html
> However, what if some user has a symlink to /usr/share/doc in his
> public_html? I haven't tried, but it seems that the bug would still
> occur (otherwise the right solution wouldn't have been to remove the
> alias, but to change how the scripting modules can affect some paths).

The additional information for the updaters encourage users to review 
another configuration files that can be also affected:

This updates removes the problematic configuration sections from the 
files /etc/apache2/sites-available/default and .../default-ssl. When 
upgrading, you should not blindly allow dpkg to replace those files, 
though. Rather you should merge the changes, namely the removal of the 
"Alias /doc "/usr/share/doc"" line and the related "<Directory "/usr/
share/doc/"$gt;" block, into your versions of these config files. You may 
also want to check if you have copied these sections to any additional 
virtual host configurations.

So at a first glance, I'd also say the bug can be present regardless the 
location of the hosted files but the DSA only addresses the default 
template config.

> IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be active
> (at least concerning the scripting features) by default unless this is
> explicitly told with some "Options" for the concerned directory.

I can be wrong but the bug seems aimed to correct the package which 
contains the file that enables the alias by default, hence the apache2 



Reply to: