[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: about DSA-2452-1 apache2 -- insecure default configuration

On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote:

> On 2012-04-19 15:08:55 +0000, Camaleón wrote:

>> >> I can be wrong but the bug seems aimed to correct the package which
>> >> contains the file that enables the alias by default, hence the
>> >> apache2 package.
>> > 
>> > But the user isn't necessarily the administrator. If the admin
>> > installs mod_php, making the bug appear if the user has added a
>> > symlink to /usr/share/doc, that's very bad.
>> Sure, but in such case the user (who is in charge of the "alias" for
>> their domains) will have to manually make the required corrections and
>> the same goes for the vhosts.
> Except that if the user doesn't do this, the same security problem will
> occur.

The user is the admin of his/her site and so the ultimate resposible for 
his/her site security.

>> There are times when a global solution can't be applied and this seems
>> to be one of that situations.
> There is a better solution: to fix mod_php and mod_rivet.

What's the fix you propose? I mean, what's what you think is wrong in 
these two packages? Fixing the sample scripts? Are these scripts poorly 
written and exposing flaws? If this is so, it has to be corrected in the 
upstream project and I guess other linux distributions are also affected 
by this, but I have not read any further notice.

Anyway, if you're concerned on this, better contact the Debian Apache 
team, they'll be able to explain why the fix has been on the Apache's 
package default config file instead the other two.



Reply to: