[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. ea54cf573e0268d76bcd3fa0438e7dadc3dc8376

Stefan Fritsch sf at sfritsch.de
Fri Apr 6 20:37:51 UTC 2012 

The following commit has been merged in the squeeze branch:
commit ea54cf573e0268d76bcd3fa0438e7dadc3dc8376
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun Apr 1 00:21:25 2012 +0200

    CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default
    virtual hosts' config files

diff --git a/debian/changelog b/debian/changelog
index 512451f..9caa6ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
+
+  * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
+    hosts' config files.
+    If scripting modules like mod_php or mod_rivet are enabled on systems
+    where either 1) some frontend server forwards connections to an apache2
+    backend server on the localhost address, or 2) the machine running
+    apache2 is also used for web browsing, this could allow a remote
+    attacker to execute example scripts stored under /usr/share/doc.
+    Depending on the installed packages, this could lead to issues like cross
+    site scripting, code execution, or leakage of sensitive data.
+
+ -- Stefan Fritsch <sf at debian.org>  Sun, 01 Apr 2012 00:20:48 +0200
+
 apache2 (2.2.16-6+squeeze6) squeeze-security; urgency=high
 
   * Rebuild with distribution set to squeeze-security.
diff --git a/debian/config-dir/sites-available/default b/debian/config-dir/sites-available/default
index c131197..b0703f5 100644
--- a/debian/config-dir/sites-available/default
+++ b/debian/config-dir/sites-available/default
@@ -28,14 +28,4 @@
 	LogLevel warn
 
 	CustomLog ${APACHE_LOG_DIR}/access.log combined
-
-    Alias /doc/ "/usr/share/doc/"
-    <Directory "/usr/share/doc/">
-        Options Indexes MultiViews FollowSymLinks
-        AllowOverride None
-        Order deny,allow
-        Deny from all
-        Allow from 127.0.0.0/255.0.0.0 ::1/128
-    </Directory>
-
 </VirtualHost>
diff --git a/debian/config-dir/sites-available/default-ssl b/debian/config-dir/sites-available/default-ssl
index 9f2d7b8..ea454b8 100644
--- a/debian/config-dir/sites-available/default-ssl
+++ b/debian/config-dir/sites-available/default-ssl
@@ -30,15 +30,6 @@
 
 	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
 
-	Alias /doc/ "/usr/share/doc/"
-	<Directory "/usr/share/doc/">
-		Options Indexes MultiViews FollowSymLinks
-		AllowOverride None
-		Order deny,allow
-		Deny from all
-		Allow from 127.0.0.0/255.0.0.0 ::1/128
-	</Directory>
-
 	#   SSL Engine Switch:
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on

-- 
Debian packaging for apache2 (Apache HTTPD 2.x)

More information about the Pkg-apache-commits mailing list