[SCM] Debian packaging for apache2 branch, master, updated. debian/2.4.4-6-7-g2f27ee5

Arno Töll arno at debian.org
Sat Jul 13 20:22:05 UTC 2013


The following commit has been merged in the master branch:
commit 04ef4eafec396ee45caa6c2780239769623f6a62
Author: Arno Töll <arno at debian.org>
Date:   Sat Jul 13 13:36:57 2013 +0200

    Disallow access to /srv, but document how to enable it. Also warn about it in the NEWS file

diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS
index 8e195dc..676d5d8 100644
--- a/debian/apache2.NEWS
+++ b/debian/apache2.NEWS
@@ -1,4 +1,4 @@
-apache2 (2.4.1-1) experimental; urgency=low
+apache2 (2.4.4-7) unstable; urgency=low
 
   This package introduces a new major release of the Apache HTTP server. It is
   likely the site configuration needs changes to work with this release.
@@ -21,9 +21,13 @@ apache2 (2.4.1-1) experimental; urgency=low
   a2enmod mpm_prefork
 
   We did change the security model for Apache in our default configuration. We
-  do not allow access to the file system outside /var/www, /srv and /usr/share.
+  do not allow access to the file system outside /var/www and /usr/share.
   If you are running virtual hosts or scripts outside these directories, you
   need to whitelist them in your configuration to grant access through HTTP.
+  Special care must be taken if you are using a sub-directory in /srv to serve
+  your content as recommended by the File Hierarchy Standard (FHS). You must
+  allow access to your served directory explicity in the corresponding virtual
+  host, or by allowing access in apache2.conf as proposed.
 
   Moreover, the configuration mechanism in Debian has changed. All
   configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
diff --git a/debian/changelog b/debian/changelog
index 0e0d5e2..8993714 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,15 +1,13 @@
 apache2 (2.4.4-7) UNRELEASED; urgency=low
 
-  [dear uploader, before uploaing this, sort out the /srv mess]
-
-  * Allow access to /srv, beyond /var/www for user supplied vhosts by default.
-    Thanks to joeyh for pointing this out.
+  * Document our security model in our NEWS file and highlight we do not allow
+    access to /srv. Thanks to joeyh for pointing this out.
   * Allow the use of apache2-maintscript-helper from a sub-function. We rely
     on dpkg's arguments supplied in $1, $2 etc. This clashes with function
     arguments supplied to to sh sub-function. Allow manual override in such
     cases.
 
- -- Arno Töll <arno at debian.org>  Sun, 16 Jun 2013 11:49:30 +0200
+ -- Arno Töll <arno at debian.org>  Sat, 13 Jul 2013 13:35:17 +0200
 
 apache2 (2.4.4-6) unstable; urgency=low
 
diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf
index fad3af3..c8d6184 100644
--- a/debian/config-dir/apache2.conf
+++ b/debian/config-dir/apache2.conf
@@ -145,9 +145,11 @@ Include ports.conf
 
 
 # Sets the default security model of the Apache2 HTTPD server. It does
-# not allow access to the root filesystem outside of /usr/share, /srv and
-# /var/www. The former is used by web applications packaged in Debian,
-# the latter may be used for local directories served by the web server.
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
 <Directory />
 	Options FollowSymLinks
 	AllowOverride None
@@ -165,11 +167,11 @@ Include ports.conf
 	Require all granted
 </Directory>
 
-<Directory /srv/>
-	Options Indexes FollowSymLinks
-	AllowOverride None
-	Require all granted
-</Directory>
+#<Directory /srv/>
+#	Options Indexes FollowSymLinks
+#	AllowOverride None
+#	Require all granted
+#</Directory>
 
 
 
diff --git a/debian/config-dir/sites-available/000-default.conf b/debian/config-dir/sites-available/000-default.conf
index 8b7d501..e3c973d 100644
--- a/debian/config-dir/sites-available/000-default.conf
+++ b/debian/config-dir/sites-available/000-default.conf
@@ -3,8 +3,10 @@
 	# the server uses to identify itself. This is used when creating
 	# redirection URLs. In the context of virtual hosts, the ServerName
 	# specifies what hostname must appear in the request's Host: header to
-	# match this virtual host.
-	# ServerName www.example.com
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
 
 	ServerAdmin webmaster at localhost
 	DocumentRoot /var/www

-- 
Debian packaging for apache2



More information about the Pkg-apache-commits mailing list