Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
The documentation in /usr/share/doc/apache2.2-common/README.Debian.gz
must be wrong, as it claims /etc/apache2/magic would be empty, which is not
the case.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to
Package: apache2-doc
Version: 2.2.16-4
Severity: wishlist
Hi.
May I suggest to disable or even better remove /etc/apache2/conf.d/apache2-doc
per default?
I guess most people _don't_ want their servers to the apache documentation
provided to the web.
IMHO the file should go to some
Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
In the apache2.conf you make some predefined log-formats, including one for
the Common Log Format and one for the Combined Log Format.
Those are defined there using %O for the number of bytes.
Most other resources I could find
btw: This applies als to the other vhost combined version.
Another reason to really use the _same_ definition of CLF as apache does
is, that this format is already hardcoded in case no LogFormat Directive
is given and TransferLog is used.
smime.p7s
Description: S/MIME cryptographic signature
Package: apache2.2-common
Version: 2.2.16-4
Severity: wishlist
Hi.
Currently the last LogFormat in apache2.conf is (per default):
LogFormat %{User-agent}i agent
For the TransferLog directive, the most recent LogFormat directive
specifies the format.
So may I suggest, to put the combined
Package: apache2.2-common
Version: 2.2.16-4
Severity: wishlist
Hi.
IMHO, mod_authn_default should be enabled in the default config, just as
mod_authz_default already is.
It probides a fall-back (denying) authorisation provider.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to
Package: apache2.2-common
Version: 2.2.16-4
Severity: minor
Hi.
It seems that you've added code to a2dissite/a2ensite to nicely handle
the special(?) sites default to be added automatically as 000-default.
Both tools also provide bash-completion, but a2dissite only identifies
the 000-default
Package: apache2-suexec
Severity: normal
Hi.
Currently suexec is compiled with:
-D AP_GID_MIN=100
-D AP_UID_MIN=100
-D AP_SAFE_PATH=/usr/local/bin:/usr/bin:/bin
Some things that are perhaps worth to think about:
1) Is there a specific security reason not to include /sbin and /usr/sbin ?
I
On Sat, 2012-04-14 at 21:26 +0200, Stefan Fritsch wrote:
We had that in the past. The problem with %b is that it gives no
indication if the request was a partial request but always logs the
size of the complete document. I think that the inaccuracies because
of the headers are smaller than
On Fri, 2012-06-01 at 16:16 +0200, Stefan Fritsch wrote:
I would vote for
the release notes plus
Release notes is a good idea, Stefan, Brian... can anyone of you take
care of this or should I (but I'm on vacation starting next Tue, so that
would take some time).
either apache2 or mod_php
Hey folks.
How are things going with this issue?
I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:
1) something in the release notes
2) the NEWS files of at least
mime-types, apache, php5-common (mod_php is not enough)
On Sat, 2012-08-04 at 12:44 +0900, Charles Plessy wrote:
do I understand correctly that the problem would be solved by documenting the
change in the release notes ?
Well as said, I do _NOT_ consider this to be enough (see my previous
mail for my proposed steps).
If yes, can somebody write a
On Tue, 2012-08-14 at 08:06 +0900, Charles Plessy wrote:
+ You should also be aware, that a server deployed in CGI mode is open
+ to several possible vulnerabilities, see upstream CGI security page
+ to learn ow to defend yourself from such attacks:
+
On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
For the moment there is the draft proposed by Christoph at
http://bugs.debian.org/674089#66
I should note perhaps, that this draft expected all the proposals I made
in #674205 to be in place, which they were not yet, when I've looked the
On Wed, 2012-08-15 at 10:40 +0200, Ondřej Surý wrote:
With the exception of RemoteType php they are all in the place.
I've just had a look into git (I guess that's the canonical location?):
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob_plain;f=debian/php5-common.README.Debian;hb=HEAD
On Wed, 2012-08-15 at 21:07 +0200, Stefan Fritsch wrote:
Since we have gone to great pains to not use the magic MIME types
anymore, I think we should not recommend them here. Or at least not as
the first option.
Stefan, can you please elaborate on what you mean with magic MIME types?
(you're
On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote:
Stefan, can you please elaborate on what you mean with magic MIME
types? (you're talking about MIME type discovery via libmagic or
similar? That would be not what's suggested above!)
The mime types that are also handler names and
On Fri, 2012-08-17 at 08:00 +0900, Charles Plessy wrote:
- In Squeeze, using default configurations, files with .php in their name
such as foo.php.jpeg are executed as PHP scripts by the Apache web
server.
Looking at mod-php5 5.3.3-7+squeeze14:
not vulnerable, but not optimised either
Hi Ondřej.
On Mon, 2012-08-20 at 14:57 +0200, Ondřej Surý wrote:
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
- You mention in the README.Debian now, that no other webserver likely used
/etc/mime.types.
Wasn't there someone who meant
On Tue, 2012-08-21 at 09:07 +0200, Ondřej Surý wrote:
Maybe add just a small paragraph that the configuration of the
extensions has changed and php users should read the NEWS file?
That's probably sensible approach. I have quickly drafted short
paragraph which can be used for release
Hi.
I wondered about the status of the BEAST attack in Debian, especially:
1) Can I use any cipher suite and still be secure (e.g. use AES and
disable RC4; the later which is often claimed to secure things... while
there are however sources on the web claiming it would be even more
vulnerable
Hi Stefan :)
On Sun, 2012-09-16 at 10:31 +0200, Stefan Fritsch wrote:
Browsers now have a workaround that splits/inserts TLS records that
cause the IV to be changed. So this works also with CBC ciphers.
Yeah I new,...
This
is basically the same what openssl does since before 0.9.6.
... I
On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
Just one last question which came to my mind. Would this all be fixed
if we added non-magic type to mime-support (e.g.
http://bugs.debian.org/670945) and reverting the changes done in the
php5-cgi package?
I'm a bit unsure how/why that
On Mon, 2012-10-08 at 22:42 +0200, Ondřej Surý wrote:
Basically it would bring the old behaviour back while not mangling
with custom Set/AddHandler directives in the apache. Remember the
php5_cgi.{load,conf} hack was introduced after decision to fix this
only in Apache - which in turn caused
Hi Charles.
On Thu, 2012-10-11 at 09:06 +0900, Charles Plessy wrote:
Do you think that there is a way to fix #589384 (the *.php.foo problem)
without removing the application/x-httpd-* media types ?
I would say no, well at least not if we also want to use these media
types later on in Apache to
Oh and one more thing (even though this is PHP unrelated):
Maybe I misunderstand something but it seems both:
libapache2-mod-fcgid, which uses:
IfModule mod_fcgid.c
AddHandlerfcgid-script .fcgi
FcgidConnectTimeout 20
/IfModule
and
libapache2-mod-fastcgi, which uses:
IfModule
Hey folks.
On Tue, 2012-10-16 at 00:16 +0200, Stefan Fritsch wrote:
And remove the php-cgi.conf completely, right? So this would introduce
a different fix for the multi-views problem. Are you sure that there
is no other problem that we would re-introduce? Maybe it's worth a
try.
There
On Fri, 2012-10-26 at 13:18 +0200, Ondřej Surý wrote:
+ It is also advised that
+ you check your custom configuration whether it's not vulnerable to
+ foo.php.jpeg attacks. The php5_cgi configuration snippet can be used
+ as base - it's important to use FilesMatch or Files directive to
+
On Thu, 2015-01-15 at 13:53 +0100, Harald Dunkel wrote:
Unfortunately the VirtualHost statement defines both IP address
and port for each virtual host. They don't work without the
appropriate Listen statements, so I cannot follow your independent
from each other.
That's basically why you need
retitle 775176 please manage address/port listenings with the conf.d snippets
system or something similar
stop
On Sat, 2015-01-17 at 13:51 +0100, Harald Dunkel wrote:
This bug report is about the files provided with the package. All
I'm asking for is using a2enconf instead of ports.conf.
I've
On Wed, 2015-01-14 at 06:47 +0100, Harald Dunkel wrote:
the interface to enable and disable virtual hosts is a2ensite/a2dissite.
That includes the IP/IPv6 address / virtual host names *and* the ports to
listen. apache2.conf should provide just a basic configuration common for
all vhosts and
On Mon, 2015-01-12 at 09:48 +0100, Harald Dunkel wrote:
Actually I don't see any reason why apache2 should unconditionally
listen on 80/tcp for a https-only setup, so I wonder if ports.conf
could be moved to conf.d to support a2disconf?
You can just modify ports.conf and set the listening
Package: apache2-doc
Version: 2.4.46-2
Severity: wishlist
Hi.
I'd like to propose not to enable the apache2-doc "site" or
even better completely remove it's config or move it to some location
in /u/s/d/apache2/examples/ .
Why?
First, there is typically never every any reason to actually host
Package: apache2
Version: 2.4.46-2
Severity: normal
Hi.
The default apache2.conf has:
#ServerRoot "/etc/apache2"
i.e. fall back to the compiled in default of /etc/apache2.
Shouldn't this better be set to:
ServerRoot "${/etc/apache2}"
?
Especially since, AFAICS, nothing in
btw: For that to work, APACHE_CONFDIR would also need to be exported,
probably either from /usr/sbin/apachectl
Cheers,
Chris.
Package: apache2-doc
Version: 2.4.46-2
Severity: normal
Hi.
Apparently the package used to contain the conffiles:
/etc/apache2/conf.d/apache2-doc
but no longer does so.
Please properly clean them up using dpkg-maintscript-helper(1).
(AFAIU, the version that needs to be specified for that is
Guess the better place to set it would be:
/lib/systemd/system/apache2.service
(just like it's already done in /lib/systemd/system/apache2@.service
for the instance versions)
This would also have the benefit that people could use APACHE_CONFDIR
in their configs if they want to make paths
Package: apache2-doc
Version: 2.4.54-1~deb11u1
Severity: important
Hey.
Unfortunately #977014 has been ignored so far, but no I just noted that even
when one explicitly disabled apache2-doc.conf via a2disconf, it still gets
rather silently re-enabled on upgrading the package, which is IMO quite
On Mon, 2023-04-03 at 10:38 +0400, Yadd wrote:
> > Causes that would also make it fix #977014.
> Sure, thanks for the link
You've marked it as fixed but haven't closed it.
Was that on purpose or should I close it?
> I saw in this issue that you were a little frustrated by the lack of
>
Hey.
Thanks for the fix.
Am I right that this *generally* does not longer enable apache2-
doc.conf per default (i.e. also on fresh installs)?
Causes that would also make it fix #977014.
Cheers,
Chris.
40 matches
Mail list logo