[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On 2012-04-17 15:39:48 +0000, Camaleón wrote:
> On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote:
> > IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be active
> > (at least concerning the scripting features) by default unless this is
> > explicitly told with some "Options" for the concerned directory.
> 
> I can be wrong but the bug seems aimed to correct the package which 
> contains the file that enables the alias by default, hence the apache2 
> package.

But the user isn't necessarily the administrator. If the admin
installs mod_php, making the bug appear if the user has added
a symlink to /usr/share/doc, that's very bad.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: