[SCM] Debian packaging for apache2 branch, master, updated. debian/2.4.4-6-2-g2adb1c6

Arno Töll arno at debian.org
Sat Jun 8 15:52:05 UTC 2013


The following commit has been merged in the master branch:
commit 2adb1c65407a37009b3e11129d04e668fa6ba31a
Author: Arno Töll <arno at debian.org>
Date:   Sat Jun 8 17:51:58 2013 +0200

    Adapt our NEWS file and explain our security model

diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS
index df2e464..8e195dc 100644
--- a/debian/apache2.NEWS
+++ b/debian/apache2.NEWS
@@ -20,6 +20,11 @@ apache2 (2.4.1-1) experimental; urgency=low
   a2dismod mpm_worker
   a2enmod mpm_prefork
 
+  We did change the security model for Apache in our default configuration. We
+  do not allow access to the file system outside /var/www, /srv and /usr/share.
+  If you are running virtual hosts or scripts outside these directories, you
+  need to whitelist them in your configuration to grant access through HTTP.
+
   Moreover, the configuration mechanism in Debian has changed. All
   configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
   The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf
index 9411bc2..fad3af3 100644
--- a/debian/config-dir/apache2.conf
+++ b/debian/config-dir/apache2.conf
@@ -145,7 +145,7 @@ Include ports.conf
 
 
 # Sets the default security model of the Apache2 HTTPD server. It does
-# not allow access to the root filesystem outside of /usr/share and
+# not allow access to the root filesystem outside of /usr/share, /srv and
 # /var/www. The former is used by web applications packaged in Debian,
 # the latter may be used for local directories served by the web server.
 <Directory />

-- 
Debian packaging for apache2



More information about the Pkg-apache-commits mailing list