Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
The documentation in /usr/share/doc/apache2.2-common/README.Debian.gz
must be wrong, as it claims /etc/apache2/magic would be empty, which is not
the case.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.
Package: apache2-doc
Version: 2.2.16-4
Severity: wishlist
Hi.
May I suggest to disable or even better remove /etc/apache2/conf.d/apache2-doc
per default?
I guess most people _don't_ want their servers to the apache documentation
provided to the web.
IMHO the file should go to some /u/s/d/apach
Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
In the apache2.conf you make some predefined log-formats, including one for
the Common Log Format and one for the Combined Log Format.
Those are defined there using %O for the number of bytes.
Most other resources I could find (e.g
btw: This applies als to the other vhost combined version.
Another reason to really use the _same_ definition of CLF as apache does
is, that this format is already hardcoded in case no LogFormat Directive
is given and TransferLog is used.
smime.p7s
Description: S/MIME cryptographic signature
Package: apache2.2-common
Version: 2.2.16-4
Severity: wishlist
Hi.
Currently the last LogFormat in apache2.conf is (per default):
LogFormat "%{User-agent}i" agent
For the TransferLog directive, the most recent LogFormat directive
specifies the format.
So may I suggest, to put the combined defi
Package: apache2.2-common
Version: 2.2.16-4
Severity: wishlist
Hi.
IMHO, mod_authn_default should be enabled in the default config, just as
mod_authz_default already is.
It probides a fall-back (denying) authorisation provider.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to debian-apache-requ
Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
It seems that you've added code to a2dissite/a2ensite to nicely handle
the special(?) sites "default" to be added automatically as "000-default".
Both tools also provide bash-completion, but a2dissite only identifies
the "000-defau
Package: apache2-suexec
Severity: normal
Hi.
Currently suexec is compiled with:
-D AP_GID_MIN=100
-D AP_UID_MIN=100
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
Some things that are perhaps worth to think about:
1) Is there a specific security reason not to include /sbin and /usr/sbin ?
I
On Sat, 2012-04-14 at 21:26 +0200, Stefan Fritsch wrote:
> We had that in the past. The problem with %b is that it gives no
> indication if the request was a partial request but always logs the
> size of the complete document. I think that the inaccuracies because
> of the headers are smaller th
On Fri, 2012-06-01 at 16:16 +0200, Stefan Fritsch wrote:
> I would vote for
> the release notes plus
Release notes is a good idea, Stefan, Brian... can anyone of you take
care of this or should I (but I'm on vacation starting next Tue, so that
would take some time).
> either apache2 or mod_php N
Hey folks.
How are things going with this issue?
I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:
1) something in the release notes
2) the NEWS files of at least
mime-types, apache, php5-common (mod_php is not enough)
li
On Sat, 2012-08-04 at 12:44 +0900, Charles Plessy wrote:
> do I understand correctly that the problem would be solved by documenting the
> change in the release notes ?
Well as said, I do _NOT_ consider this to be enough (see my previous
mail for my proposed steps).
> If yes, can somebody write a
On Tue, 2012-08-14 at 08:06 +0900, Charles Plessy wrote:
> + You should also be aware, that a server deployed in CGI mode is open
> + to several possible vulnerabilities, see upstream CGI security page
> + to learn ow to defend yourself from such attacks:
> + http://www.php.net/manual/en/secur
On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
> For the moment there is the draft proposed by Christoph at
> http://bugs.debian.org/674089#66
I should note perhaps, that this draft expected all the proposals I made
in #674205 to be in place, which they were not yet, when I've looked the
On Wed, 2012-08-15 at 10:40 +0200, Ondřej Surý wrote:
> With the exception of RemoteType php they are all in the place.
I've just had a look into git (I guess that's the canonical location?):
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob_plain;f=debian/php5-common.README.Debian;hb=HEAD
On Wed, 2012-08-15 at 21:07 +0200, Stefan Fritsch wrote:
> Since we have gone to great pains to not use the magic MIME types
> anymore, I think we should not recommend them here. Or at least not as
> the first option.
Stefan, can you please elaborate on what you mean with magic MIME types?
(you'r
On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
> > Stefan, can you please elaborate on what you mean with magic MIME
> > types? (you're talking about MIME type discovery via libmagic or
> > similar? That would be not what's suggested above!)
>
> The mime types that are also handler names
On Fri, 2012-08-17 at 08:00 +0900, Charles Plessy wrote:
> - In Squeeze, using default configurations, files with ".php" in their name
>such as "foo.php.jpeg" are executed as PHP scripts by the Apache web
> server.
Looking at mod-php5 5.3.3-7+squeeze14:
not vulnerable, but not optimised eithe
Hi Ondřej.
On Mon, 2012-08-20 at 14:57 +0200, Ondřej Surý wrote:
> http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
- You mention in the README.Debian now, that no other webserver likely used
/etc/mime.types.
Wasn't there someone who meant li
On Tue, 2012-08-21 at 09:07 +0200, Ondřej Surý wrote:
> > Maybe add just a small paragraph that the configuration of the
> > extensions has changed and php users should read the NEWS file?
>
> That's probably sensible approach. I have quickly drafted short
> paragraph which can be used for releas
Hi.
I wondered about the status of the BEAST attack in Debian, especially:
1) Can I use any cipher suite and still be secure (e.g. use AES and
disable RC4; the later which is often claimed to secure things... while
there are however sources on the web claiming it would be even more
vulnerable tha
Hi Stefan :)
On Sun, 2012-09-16 at 10:31 +0200, Stefan Fritsch wrote:
> Browsers now have a workaround that splits/inserts TLS records that
> cause the IV to be changed. So this works also with CBC ciphers.
Yeah I new,...
> This
> is basically the same what openssl does since before 0.9.6.
..
On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
I'm a bit unsure how/why that w
On Mon, 2012-10-08 at 22:42 +0200, Ondřej Surý wrote:
> Basically it would bring the old behaviour back while not mangling
> with custom Set/AddHandler directives in the apache. Remember the
> php5_cgi.{load,conf} hack was introduced after decision to fix this
> only in Apache - which in turn cause
Hi Charles.
On Thu, 2012-10-11 at 09:06 +0900, Charles Plessy wrote:
> Do you think that there is a way to fix #589384 (the *.php.foo problem)
> without removing the application/x-httpd-* media types ?
I would say no, well at least not if we also want to use these media
types later on in Apache t
Oh and one more thing (even though this is PHP unrelated):
Maybe I misunderstand something but it seems both:
libapache2-mod-fcgid, which uses:
AddHandlerfcgid-script .fcgi
FcgidConnectTimeout 20
and
libapache2-mod-fastcgi, which uses:
AddHandler fastcgi-script .fcgi
#FastCgiWrapp
Hey folks.
On Tue, 2012-10-16 at 00:16 +0200, Stefan Fritsch wrote:
> And remove the php-cgi.conf completely, right? So this would introduce
> a different fix for the multi-views problem. Are you sure that there
> is no other problem that we would re-introduce? Maybe it's worth a
> try.
> The
On Fri, 2012-10-26 at 13:18 +0200, Ondřej Surý wrote:
> + It is also advised that
> + you check your custom configuration whether it's not vulnerable to
> + foo.php.jpeg attacks. The php5_cgi configuration snippet can be used
> + as base - it's important to use FilesMatch or Files directive to
> +
Package: apache2-suexec-custom
Severity: minor
Hi.
Yeah... well... there is not severity available lower than minor ...
guess we need "cosmetic" ;)
Anyway in
The file suexec/www-data :in the line
# refuse the corresponding type of request.
There is an unecessary traling space, that can be remo
On Mon, 2015-01-12 at 09:48 +0100, Harald Dunkel wrote:
> Actually I don't see any reason why apache2 should unconditionally
> listen on 80/tcp for a https-only setup, so I wonder if ports.conf
> could be moved to conf.d to support a2disconf?
You can just modify ports.conf and set the listening so
On Wed, 2015-01-14 at 06:47 +0100, Harald Dunkel wrote:
> the interface to enable and disable virtual hosts is a2ensite/a2dissite.
> That includes the IP/IPv6 address / virtual host names *and* the ports to
> listen. apache2.conf should provide just a basic configuration common for
> all vhosts an
On Thu, 2015-01-15 at 13:53 +0100, Harald Dunkel wrote:
> Unfortunately the VirtualHost statement defines both IP address
> and port for each virtual host. They don't work without the
> appropriate Listen statements, so I cannot follow your "independent
> from each other".
That's basically why you
retitle 775176 please manage address/port listenings with the conf.d snippets
system or something similar
stop
On Sat, 2015-01-17 at 13:51 +0100, Harald Dunkel wrote:
> This bug report is about the files provided with the package. All
> I'm asking for is using a2enconf instead of ports.conf.
I'v
Package: apache2-doc
Version: 2.4.46-2
Severity: wishlist
Hi.
I'd like to propose not to enable the apache2-doc "site" or
even better completely remove it's config or move it to some location
in /u/s/d/apache2/examples/ .
Why?
First, there is typically never every any reason to actually host i
Package: apache2
Version: 2.4.46-2
Severity: normal
Hi.
The default apache2.conf has:
#ServerRoot "/etc/apache2"
i.e. fall back to the compiled in default of /etc/apache2.
Shouldn't this better be set to:
ServerRoot "${/etc/apache2}"
?
Especially since, AFAICS, nothing in README.multiple-ins
btw: For that to work, APACHE_CONFDIR would also need to be exported,
probably either from /usr/sbin/apachectl
Cheers,
Chris.
Guess the better place to set it would be:
/lib/systemd/system/apache2.service
(just like it's already done in /lib/systemd/system/apache2@.service
for the instance versions)
This would also have the benefit that people could use APACHE_CONFDIR
in their configs if they want to make paths relati
Package: apache2-doc
Version: 2.4.46-2
Severity: normal
Hi.
Apparently the package used to contain the conffiles:
/etc/apache2/conf.d/apache2-doc
but no longer does so.
Please properly clean them up using dpkg-maintscript-helper(1).
(AFAIU, the version that needs to be specified for that is NOT
Package: apache2-doc
Version: 2.4.54-1~deb11u1
Severity: important
Hey.
Unfortunately #977014 has been ignored so far, but no I just noted that even
when one explicitly disabled apache2-doc.conf via a2disconf, it still gets
rather silently re-enabled on upgrading the package, which is IMO quite
Hey.
Thanks for the fix.
Am I right that this *generally* does not longer enable apache2-
doc.conf per default (i.e. also on fresh installs)?
Causes that would also make it fix #977014.
Cheers,
Chris.
On Mon, 2023-04-03 at 10:38 +0400, Yadd wrote:
> > Causes that would also make it fix #977014.
> Sure, thanks for the link
You've marked it as fixed but haven't closed it.
Was that on purpose or should I close it?
> I saw in this issue that you were a little frustrated by the lack of
> respons
41 matches
Mail list logo
