[SCM] Debian packaging for apache2 branch, master, updated. debian/2.4.4-6-7-g2f27ee5
Arno Töll
arno at debian.org
Sat Jul 13 20:22:05 UTC 2013
The following commit has been merged in the master branch:
commit 04ef4eafec396ee45caa6c2780239769623f6a62
Author: Arno Töll <arno at debian.org>
Date: Sat Jul 13 13:36:57 2013 +0200
Disallow access to /srv, but document how to enable it. Also warn about it in the NEWS file
diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS
index 8e195dc..676d5d8 100644
--- a/debian/apache2.NEWS
+++ b/debian/apache2.NEWS
@@ -1,4 +1,4 @@
-apache2 (2.4.1-1) experimental; urgency=low
+apache2 (2.4.4-7) unstable; urgency=low
This package introduces a new major release of the Apache HTTP server. It is
likely the site configuration needs changes to work with this release.
@@ -21,9 +21,13 @@ apache2 (2.4.1-1) experimental; urgency=low
a2enmod mpm_prefork
We did change the security model for Apache in our default configuration. We
- do not allow access to the file system outside /var/www, /srv and /usr/share.
+ do not allow access to the file system outside /var/www and /usr/share.
If you are running virtual hosts or scripts outside these directories, you
need to whitelist them in your configuration to grant access through HTTP.
+ Special care must be taken if you are using a sub-directory in /srv to serve
+ your content as recommended by the File Hierarchy Standard (FHS). You must
+ allow access to your served directory explicity in the corresponding virtual
+ host, or by allowing access in apache2.conf as proposed.
Moreover, the configuration mechanism in Debian has changed. All
configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
diff --git a/debian/changelog b/debian/changelog
index 0e0d5e2..8993714 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,15 +1,13 @@
apache2 (2.4.4-7) UNRELEASED; urgency=low
- [dear uploader, before uploaing this, sort out the /srv mess]
-
- * Allow access to /srv, beyond /var/www for user supplied vhosts by default.
- Thanks to joeyh for pointing this out.
+ * Document our security model in our NEWS file and highlight we do not allow
+ access to /srv. Thanks to joeyh for pointing this out.
* Allow the use of apache2-maintscript-helper from a sub-function. We rely
on dpkg's arguments supplied in $1, $2 etc. This clashes with function
arguments supplied to to sh sub-function. Allow manual override in such
cases.
- -- Arno Töll <arno at debian.org> Sun, 16 Jun 2013 11:49:30 +0200
+ -- Arno Töll <arno at debian.org> Sat, 13 Jul 2013 13:35:17 +0200
apache2 (2.4.4-6) unstable; urgency=low
diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf
index fad3af3..c8d6184 100644
--- a/debian/config-dir/apache2.conf
+++ b/debian/config-dir/apache2.conf
@@ -145,9 +145,11 @@ Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
-# not allow access to the root filesystem outside of /usr/share, /srv and
-# /var/www. The former is used by web applications packaged in Debian,
-# the latter may be used for local directories served by the web server.
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
@@ -165,11 +167,11 @@ Include ports.conf
Require all granted
</Directory>
-<Directory /srv/>
- Options Indexes FollowSymLinks
- AllowOverride None
- Require all granted
-</Directory>
+#<Directory /srv/>
+# Options Indexes FollowSymLinks
+# AllowOverride None
+# Require all granted
+#</Directory>
diff --git a/debian/config-dir/sites-available/000-default.conf b/debian/config-dir/sites-available/000-default.conf
index 8b7d501..e3c973d 100644
--- a/debian/config-dir/sites-available/000-default.conf
+++ b/debian/config-dir/sites-available/000-default.conf
@@ -3,8 +3,10 @@
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
- # match this virtual host.
- # ServerName www.example.com
+ # match this virtual host. For the default virtual host (this file) this
+ # value is not decisive as it is used as a last resort host regardless.
+ # However, you must set it for any further virtual host explicitly.
+ #ServerName www.example.com
ServerAdmin webmaster at localhost
DocumentRoot /var/www
--
Debian packaging for apache2
More information about the Pkg-apache-commits
mailing list