[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. ea54cf573e0268d76bcd3fa0438e7dadc3dc8376
Stefan Fritsch
sf at sfritsch.de
Fri Apr 6 20:37:51 UTC 2012
The following commit has been merged in the squeeze branch:
commit ea54cf573e0268d76bcd3fa0438e7dadc3dc8376
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun Apr 1 00:21:25 2012 +0200
CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default
virtual hosts' config files
diff --git a/debian/changelog b/debian/changelog
index 512451f..9caa6ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.2.16-6+squeeze7) squeeze-security; urgency=high
+
+ * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default virtual
+ hosts' config files.
+ If scripting modules like mod_php or mod_rivet are enabled on systems
+ where either 1) some frontend server forwards connections to an apache2
+ backend server on the localhost address, or 2) the machine running
+ apache2 is also used for web browsing, this could allow a remote
+ attacker to execute example scripts stored under /usr/share/doc.
+ Depending on the installed packages, this could lead to issues like cross
+ site scripting, code execution, or leakage of sensitive data.
+
+ -- Stefan Fritsch <sf at debian.org> Sun, 01 Apr 2012 00:20:48 +0200
+
apache2 (2.2.16-6+squeeze6) squeeze-security; urgency=high
* Rebuild with distribution set to squeeze-security.
diff --git a/debian/config-dir/sites-available/default b/debian/config-dir/sites-available/default
index c131197..b0703f5 100644
--- a/debian/config-dir/sites-available/default
+++ b/debian/config-dir/sites-available/default
@@ -28,14 +28,4 @@
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
-
- Alias /doc/ "/usr/share/doc/"
- <Directory "/usr/share/doc/">
- Options Indexes MultiViews FollowSymLinks
- AllowOverride None
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/255.0.0.0 ::1/128
- </Directory>
-
</VirtualHost>
diff --git a/debian/config-dir/sites-available/default-ssl b/debian/config-dir/sites-available/default-ssl
index 9f2d7b8..ea454b8 100644
--- a/debian/config-dir/sites-available/default-ssl
+++ b/debian/config-dir/sites-available/default-ssl
@@ -30,15 +30,6 @@
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
- Alias /doc/ "/usr/share/doc/"
- <Directory "/usr/share/doc/">
- Options Indexes MultiViews FollowSymLinks
- AllowOverride None
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/255.0.0.0 ::1/128
- </Directory>
-
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list