On Mon, 16 Apr 2012 14:25:17 +0200, Vincent Lefevre wrote: > There has been the following change in apache2: > > apache2 (2.2.22-4) unstable; urgency=high > > * CVE-2012-0216: Remove "Alias /doc /usr/share/doc" from the default > virtual
(...) > More information on: > > http://www.debian.org/security/2012/dsa-2452.en.html > > However, what if some user has a symlink to /usr/share/doc in his > public_html? I haven't tried, but it seems that the bug would still > occur (otherwise the right solution wouldn't have been to remove the > alias, but to change how the scripting modules can affect some paths). The additional information for the updaters encourage users to review another configuration files that can be also affected: *** This updates removes the problematic configuration sections from the files /etc/apache2/sites-available/default and .../default-ssl. When upgrading, you should not blindly allow dpkg to replace those files, though. Rather you should merge the changes, namely the removal of the "Alias /doc "/usr/share/doc"" line and the related "<Directory "/usr/ share/doc/"$gt;" block, into your versions of these config files. You may also want to check if you have copied these sections to any additional virtual host configurations. *** So at a first glance, I'd also say the bug can be present regardless the location of the hosted files but the DSA only addresses the default template config. > IMHO, the real bug is in mod_php or mod_rivet, that shouldn't be active > (at least concerning the scripting features) by default unless this is > explicitly told with some "Options" for the concerned directory. I can be wrong but the bug seems aimed to correct the package which contains the file that enables the alias by default, hence the apache2 package. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jmk2s4$h73$1...@dough.gmane.org
