[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, next, updated. 02f219f6424d4363708de997c60c48a3414e1472

Stefan Fritsch sf at sfritsch.de
Sat Apr 14 19:05:06 UTC 2012 

The following commit has been merged in the next branch:
commit 02f219f6424d4363708de997c60c48a3414e1472
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sat Apr 14 21:04:20 2012 +0200

    Change default config to deny access to / in the file system and only
    allow access to /var/www, /usr/share, and /usr/lib/cgi-bin.
    Disable MultiViews.

diff --git a/debian/changelog b/debian/changelog
index 297e680..e8b5499 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 apache2 (2.4.1-5) experimental; urgency=low
 
+  [ Arno Töll ]
   * NOT RELEASED YET
   * Drop update-alternative call in postrm. Our prerm script catches them
     already anyway.
@@ -18,7 +19,12 @@ apache2 (2.4.1-5) experimental; urgency=low
     just like it is possible for CFLAGS. This also means, config_vars.mk now
     exports hardening build flags by default
 
- -- Arno Töll <arno at debian.org>  Thu, 12 Apr 2012 02:55:09 +0200
+  [ Stefan Fritsch ]
+  * Change default config to deny access to / in the file system and only
+    allow access to /var/www, /usr/share, and /usr/lib/cgi-bin. Closes: #341022
+  * Disable MultiViews in the default config.
+
+ -- Stefan Fritsch <sf at debian.org>  Sat, 14 Apr 2012 20:59:59 +0200
 
 apache2 (2.4.1-3) experimental; urgency=low
 
diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf
index 2a2f97b..c760089 100644
--- a/debian/config-dir/apache2.conf
+++ b/debian/config-dir/apache2.conf
@@ -53,7 +53,6 @@
 # TODO: Triage the following bugs involving conf changes:
 #	#589638 [w|  |  ] [apache2] apache2: Generally useful options currently set in sites-available/default should be moved to included file
 #	#548213 [w|  |  ] [apache2.2-common] Apache should protect .svn directories
-#	#341022 [w|  |  ] [apache2] default apache2.conf file should deny access to /
 #	#340947 [w|  |  ] [apache2.2-common] apache2-common: standard path to virtual host document roots under /var/www?
 #	#605123 [m|  |  ] [apache2.2-common] apache2.2-common: "incorrect" definitions of Common Log Format and Combined Log Format
 #	#649020 [n|  |  ] [apache2.2-common] apache2: stronger and faster default SSL config
@@ -144,14 +143,18 @@ LogLevel warn
 
 
 # XXX: Add comments
-# XXX: Maybe disable MultiViews by default?
 DocumentRoot /var/www
 <Directory />
     Options FollowSymLinks
     AllowOverride None
+    Require all denied
+</Directory>
+<Directory /usr/share>
+    AllowOverride None
+    Require all granted
 </Directory>
 <Directory /var/www/>
-    Options Indexes FollowSymLinks MultiViews
+    Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
 </Directory>

-- 
Debian packaging for apache2 (Apache HTTPD 2.x)

More information about the Pkg-apache-commits mailing list