Package: apache2 Version: 2.4.61-1~deb12u1 Severity: important Dear Maintainer,
I recently upgraded from Bullseye to Bookworm. Afterwards, I noticed that CGI scripts were active on the default host. I investigated it and found that the upgrade seemed to have re-enabled config-available/serve-cgi-bin.conf which I had intentionally disabled previously, because I didn't want to have CGI enabled globally, but rather enable it on a virtual host basis. This created a risk because now CGI scripts could be invoked thru the default host with no access restrictions. I believe there should be a mechanism that allows admins to permanently block certain config fragments, without Debian package config/upgrade mechanism interfering and re-enabling it. (I hope I'm not missing anything, I re-checked all default config files before posting this report. I chose not to include my modified config files, as they contain confidential info.) Thank you. Kind regards, Ralf -- Package-specific info: -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-23-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin 2.4.61-1~deb12u1 ii apache2-data 2.4.61-1~deb12u1 ii apache2-utils 2.4.61-1~deb12u1 ii init-system-helpers 1.65.2 ii lsb-base 11.6 ii media-types 10.0.0 ii perl 5.36.0-7+deb12u1 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages apache2 recommends: pn ssl-cert <none> Versions of packages apache2 suggests: ii apache2-doc 2.4.61-1~deb12u1 pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin depends on: ii libapr1 1.7.2-3 ii libaprutil1 1.6.3-1 ii libaprutil1-dbd-sqlite3 1.6.3-1 ii libaprutil1-ldap 1.6.3-1 ii libbrotli1 1.0.9-2+b6 ii libc6 2.36-9+deb12u7 ii libcrypt1 1:4.4.33-2 ii libcurl4 7.88.1-10+deb12u6 ii libjansson4 2.14-2 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblua5.3-0 5.3.6-2 ii libnghttp2-14 1.52.0-1+deb12u1 ii libpcre2-8-0 10.42-1 ii libssl3 3.0.13-1~deb12u1 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii perl 5.36.0-7+deb12u1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.61-1~deb12u1 pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2 is related to: ii apache2 2.4.61-1~deb12u1 ii apache2-bin 2.4.61-1~deb12u1 -- Configuration Files: /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/logrotate.d/apache2 changed [not included] -- no debconf information
