Your message dated Sun, 01 Aug 2004 03:47:11 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#257108: fixed in apache 1.3.31-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Jul 2004 09:03:09 +0000
>From [EMAIL PROTECTED] Thu Jul 01 02:03:09 2004
Return-path: <[EMAIL PROTECTED]>
Received: from tornado.dat.etsit.upm.es (dat.etsit.upm.es) [138.100.17.73]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1BfxTJ-0004Kb-00; Thu, 01 Jul 2004 02:03:09 -0700
Received: (qmail 16458 invoked by uid 1013); 1 Jul 2004 09:03:07 -0000
Date: Thu, 1 Jul 2004 11:03:07 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: apache: /var/lib/apache/mod-bandwidth/ is world writable
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040523i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: apache-common
Version: 1.3.31-1
Priority: important
Tags: security
I cannot really understand why this is needed:
$ ls -la /var/lib/apache/mod-bandwidth/
total 16
drwxrwxrwx 4 www-data www-data 4096 2003-10-20 21:53 .
drwxr-xr-x 3 root root 4096 2003-10-20 21:53 ..
drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 link
drwxrwxrwx 2 www-data www-data 4096 2003-10-14 14:38 master
README.mod_bandwidth just says:
No documentation available!
So, is there any reason why mod-bandwith files should be writable by all=20
users?
I'm tagging this security because directories writable by all users open up
a can of worms (partition DoS attacks, symlink and hard link attacks) and
administrators do not expect Debian packages to create those without a good
enough reason. Also, directories writable by all users (such as /tmp/ or
/var/tmp) should be created with the sticky bit.
Regards
Javier
--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA49NLi4sehJTrj0oRAjy9AKCk1ez4VoP0hR9q1Ii4VB5oEEhCCgCbB4a3
OUXBG4g1aSqZKZb8CLGE0i4=
=Ix/V
-----END PGP SIGNATURE-----
--sm4nu43k4a2Rpi4c--
---------------------------------------
Received: (at 257108-close) by bugs.debian.org; 1 Aug 2004 07:49:59 +0000
>From [EMAIL PROTECTED] Sun Aug 01 00:49:59 2004
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BrB6V-0000xP-00; Sun, 01 Aug 2004 00:49:59 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BrB3n-0006aI-00; Sun, 01 Aug 2004 03:47:11 -0400
From: [EMAIL PROTECTED] (Fabio M. Di Nitto)
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.51 $
Subject: Bug#257108: fixed in apache 1.3.31-3
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 01 Aug 2004 03:47:11 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: apache
Source-Version: 1.3.31-3
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.31-3_i386.deb
to pool/main/a/apache/apache-common_1.3.31-3_i386.deb
apache-dbg_1.3.31-3_i386.deb
to pool/main/a/apache/apache-dbg_1.3.31-3_i386.deb
apache-dev_1.3.31-3_all.deb
to pool/main/a/apache/apache-dev_1.3.31-3_all.deb
apache-doc_1.3.31-3_all.deb
to pool/main/a/apache/apache-doc_1.3.31-3_all.deb
apache-perl_1.3.31-3_i386.deb
to pool/main/a/apache/apache-perl_1.3.31-3_i386.deb
apache-ssl_1.3.31-3_i386.deb
to pool/main/a/apache/apache-ssl_1.3.31-3_i386.deb
apache-utils_1.3.31-3_i386.deb
to pool/main/a/apache/apache-utils_1.3.31-3_i386.deb
apache_1.3.31-3.diff.gz
to pool/main/a/apache/apache_1.3.31-3.diff.gz
apache_1.3.31-3.dsc
to pool/main/a/apache/apache_1.3.31-3.dsc
apache_1.3.31-3_i386.deb
to pool/main/a/apache/apache_1.3.31-3_i386.deb
libapache-mod-perl_1.29.0.2-10_i386.deb
to pool/main/a/apache/libapache-mod-perl_1.29.0.2-10_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <[EMAIL PROTECTED]> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 01 Aug 2004 08:02:46 +0200
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg
apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.31-3
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <[EMAIL PROTECTED]>
Description:
apache - Versatile, high-performance HTTP server
apache-common - Support files for all Apache webservers
apache-dbg - Apache webservers (debugging versions)
apache-dev - Apache webserver development kit
apache-doc - Apache webserver docs
apache-perl - Versatile, high-performance HTTP server with Perl support
apache-ssl - Versatile, high-performance HTTP server with SSL support
apache-utils - Utility programs for webservers
libapache-mod-perl - Integration of perl with the Apache web server
Closes: 257108 257566 258602 259169 262582
Changes:
apache (1.3.31-3) unstable; urgency=high
.
* (Fabio M. Di Nitto)
- Urgency high thanks to bash3.0
- Added Turkish po-debconf translation thanks to
Recai Oktas <[EMAIL PROTECTED]> (Closes: #257566)
- Added AddDefaultCharset notes in README.Debian as discussed
in #257775
- Added /var/lib/apache/mod-bandwidth directory permission notes
(Closes: #257108)
- Changed default environment PATH to include /usr/local/bin and
get rid of *sbin*. (Closes: #258602)
- Added Czech translation. Thanks to Jan Outrata <[EMAIL PROTECTED]>
(Closes: #259169)
- Change apache-modconf to make bash3.0 happy. (Closes: #262582)
Files:
ba0d1f859f8498224aab970eb83cd097 1114 web optional apache_1.3.31-3.dsc
69fcfbc1e14d308627416e0e15b3bdc3 398303 web optional apache_1.3.31-3.diff.gz
c45154bfd4854fe550fb5bbe3c0ab536 1185740 doc optional
apache-doc_1.3.31-3_all.deb
2d3d5afc1c6217014a98027550b42c06 328850 devel extra apache-dev_1.3.31-3_all.deb
37ed1eca08cd15928452f101f6b2b013 381264 web optional apache_1.3.31-3_i386.deb
3c96e2f23355c9f7a11eab304721a127 492812 web optional
apache-ssl_1.3.31-3_i386.deb
025b847afea959676bb13fdbf1015bbf 500292 web optional
apache-perl_1.3.31-3_i386.deb
f305bd69cace57a9c0188498c2fc9971 9100644 devel extra
apache-dbg_1.3.31-3_i386.deb
b1a1729b742a32abe42b0e68c03d4b03 842068 web optional
apache-common_1.3.31-3_i386.deb
87a8a594eec9edd8b6d15ad5992ad6b7 264690 web optional
apache-utils_1.3.31-3_i386.deb
bb1355ca532416b0da6922fc5c309a71 484148 web optional
libapache-mod-perl_1.29.0.2-10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBDJK2hCzbekR3nhgRAogNAJ0aj7OnVQA5Iv8M5H00zLMLKHhz3ACfdapF
G9/8NIo6SpEfPlVBxoQ1BtY=
=f/ws
-----END PGP SIGNATURE-----
