Bug#670518: apache2: should provide security information w.r.t. scripting modules

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Bug#670518: apache2: should provide security information w.r.t. scripting modules

Vincent Lefevre-10
Package: apache2.2-common
Version: 2.2.22-4
Severity: wishlist

The latest upgrade has the following in the ChangeLog:

apache2 (2.2.22-4) unstable; urgency=high

  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
    hosts' config files.
    If scripting modules like mod_php or mod_rivet are enabled on systems
    where either 1) some frontend server forwards connections to an apache2
    backend server on the localhost address, or 2) the machine running
    apache2 is also used for web browsing, this could allow a remote
    attacker to execute example scripts stored under /usr/share/doc.
    Depending on the installed packages, this could lead to issues like cross
    site scripting, code execution, or leakage of sensitive data.

 -- Stefan Fritsch <[hidden email]>  Sun, 15 Apr 2012 23:41:43 +0200

However this change does not fix the real problem, just the default
configuration. Debian should provide security information about
problems like that (see below the details about these problems), in
README.Debian or some separate information file (with "security" in
its name).

Also, it would be better to fix the scripting modules or their default
configuration so that they are enabled only when requested explicitly
on a per-directory basis (a bit like ExecCGI for the mod_cgi module?).

The admin of the machine or the end user (e.g. via his public_html in
his home dir) may want to link to some doc directory like /usr/share/doc
or $HOME/doc (if he installs software in his home dir). He may also want
to allow these doc to be accessible from remote machines. Scripts from
these directories should be read as text files, not executed. And the
user should know what to do to ensure that.

Even if the admin or the end user thinks this is safe because packages
provided scripting modules are not installed, this may not be the case
in the future, and the problem may be more hidden if such packages are
installed via dependencies. So, it would be nice to know what to do
even if such packages are not installed/enabled yet.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi cgid dav dav_svn deflate dir
  env mime negotiation perl python reqtimeout setenvif status

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-worker  2.2.22-4
ii  apache2.2-common    2.2.22-4

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils  2.2.22-4
ii  apache2.2-bin  2.2.22-4
ii  lsb-base       4.1+Debian2
ii  mime-support   3.52-1
ii  perl           5.14.2-9
ii  procps         1:3.3.2-3

Versions of packages apache2.2-common recommends:
ii  ssl-cert  1.0.28

Versions of packages apache2.2-common suggests:
ii  apache2-doc                             2.2.22-4
ii  apache2-suexec | apache2-suexec-custom  <none>
ii  chromium [www-browser]                  18.0.1025.151~r130497-1
ii  epiphany-browser [www-browser]          3.2.1-2
ii  iceape [www-browser]                    2.7.3-2
ii  iceweasel [www-browser]                 10.0.4esr-1
ii  links [www-browser]                     2.6-1
ii  links2 [www-browser]                    2.6-1
ii  lynx-cur [www-browser]                  2.8.8dev.12-2
ii  midori [www-browser]                    0.4.3-1
ii  uzbl [www-browser]                      0.0.0~git.20111128-2
ii  w3m [www-browser]                       0.5.3-5

-- no debconf information

To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20120426105339.GA26613@...

Reply | Threaded
Open this post in threaded view

Bug#670518: Investment Proposal

Nael M. Al Homoud-2

Good day,

My associate from China wants to discuss a business investment deal with you. I awaiting your response to enable us discuss about this business investment

Nael M. Al Homoud
Executive Director & High Investment Committee Member@
The Arab Investment Co