Re: about DSA-2452-1 apache2 -- insecure default configuration
On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote:
> On 2012-04-19 15:08:55 +0000, Camaleón wrote:
>> >> I can be wrong but the bug seems aimed to correct the package which
>> >> contains the file that enables the alias by default, hence the
>> >> apache2 package.
>> > But the user isn't necessarily the administrator. If the admin
>> > installs mod_php, making the bug appear if the user has added a
>> > symlink to /usr/share/doc, that's very bad.
>> Sure, but in such case the user (who is in charge of the "alias" for
>> their domains) will have to manually make the required corrections and
>> the same goes for the vhosts.
> Except that if the user doesn't do this, the same security problem will
The user is the admin of his/her site and so the ultimate resposible for
his/her site security.
>> There are times when a global solution can't be applied and this seems
>> to be one of that situations.
> There is a better solution: to fix mod_php and mod_rivet.
What's the fix you propose? I mean, what's what you think is wrong in
these two packages? Fixing the sample scripts? Are these scripts poorly
written and exposing flaws? If this is so, it has to be corrected in the
upstream project and I guess other linux distributions are also affected
by this, but I have not read any further notice.
Anyway, if you're concerned on this, better contact the Debian Apache
team, they'll be able to explain why the fix has been on the Apache's
package default config file instead the other two.