Re: about DSA-2452-1 apache2 -- insecure default configuration

On Fri, 20 Apr 2012 01:50:29 +0200, Vincent Lefevre wrote:

On 2012-04-19 15:08:55 +0000, Camaleón wrote:

I can be wrong but the bug seems aimed to correct the package which
contains the file that enables the alias by default, hence the
apache2 package.

But the user isn't necessarily the administrator. If the admin
installs mod_php, making the bug appear if the user has added a
symlink to /usr/share/doc, that's very bad.

Sure, but in such case the user (who is in charge of the "alias" for
their domains) will have to manually make the required corrections and
the same goes for the vhosts.

Except that if the user doesn't do this, the same security problem will
occur.

The user is the admin of his/her site and so the ultimate resposible for
his/her site security.

There are times when a global solution can't be applied and this seems
to be one of that situations.

There is a better solution: to fix mod_php and mod_rivet.

What's the fix you propose? I mean, what's what you think is wrong in
these two packages? Fixing the sample scripts? Are these scripts poorly
written and exposing flaws? If this is so, it has to be corrected in the
upstream project and I guess other linux distributions are also affected
by this, but I have not read any further notice.

Anyway, if you're concerned on this, better contact the Debian Apache
team, they'll be able to explain why the fix has been on the Apache's
package default config file instead the other two.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/jmrsan$o0u$9@xxxxxxxxxxxxxxx

Relevant Pages

  • Re: FHS question
    ... doing software package installation or removal. ... The system and the admin. ... You as the admin are free to install software in /opt. ... Debian and that bug reports should not go to Debian for that software ...
    (Debian-User)
  • Re: iSeries Access v5r4 deployment problem
    ... Not specific to your package, but the problem of needing admin privileges ... It can be resolved by using the run_once tool from the admin feature pack. ... MVP Windows Server System - SMS ... > user that they must be an administrator in order for the installation ...
    (microsoft.public.sms.swdist)
  • Re: OS deployment feature pack admin console
    ... In addition to giving an admin class security rights to the 'Package' class ... SMS Admin console checks the site control file to determine what feature ...
    (microsoft.public.sms.tools)
  • Re: Error when pushing down package to client
    ... I have specified to use admin credientials inside the package. ... advertised agent i have specified a admin account to be used. ... >> using a admin account when installing under non admin users. ...
    (microsoft.public.sms.swdist)
  • Re: about DSA-2452-1 apache2 -- insecure default configuration
    ... I can be wrong but the bug seems aimed to correct the package which ... contains the file that enables the alias by default, ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)