Your message dated Sat, 07 Sep 2024 19:44:33 +0000
with message-id <2036776.SrnRTqti5r@portable-bastien>
and subject line Closed per user request
has caused the Debian Bug report #1080079,
regarding apache2: Upgrade from Debian 11 to 12 seems to have enabled
serve-cgi-bin.conf (security risk)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1080079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080079
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.61-1~deb12u1
Severity: important
Dear Maintainer,
I recently upgraded from Bullseye to Bookworm. Afterwards, I noticed
that CGI scripts were active on the default host.
I investigated it and found that the upgrade seemed to have re-enabled
config-available/serve-cgi-bin.conf which I had intentionally disabled
previously, because I didn't want to have CGI enabled globally, but
rather enable it on a virtual host basis.
This created a risk because now CGI scripts could be invoked thru the
default host with no access restrictions.
I believe there should be a mechanism that allows admins to
permanently block certain config fragments, without Debian package
config/upgrade mechanism interfering and re-enabling it.
(I hope I'm not missing anything, I re-checked all default config
files before posting this report. I chose not to include my modified
config files, as they contain confidential info.)
Thank you.
Kind regards,
Ralf
-- Package-specific info:
-- System Information:
Debian Release: 12.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-23-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.61-1~deb12u1
ii apache2-data 2.4.61-1~deb12u1
ii apache2-utils 2.4.61-1~deb12u1
ii init-system-helpers 1.65.2
ii lsb-base 11.6
ii media-types 10.0.0
ii perl 5.36.0-7+deb12u1
ii procps 2:4.0.2-3
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages apache2 recommends:
pn ssl-cert <none>
Versions of packages apache2 suggests:
ii apache2-doc 2.4.61-1~deb12u1
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.7.2-3
ii libaprutil1 1.6.3-1
ii libaprutil1-dbd-sqlite3 1.6.3-1
ii libaprutil1-ldap 1.6.3-1
ii libbrotli1 1.0.9-2+b6
ii libc6 2.36-9+deb12u7
ii libcrypt1 1:4.4.33-2
ii libcurl4 7.88.1-10+deb12u6
ii libjansson4 2.14-2
ii libldap-2.5-0 2.5.13+dfsg-5
ii liblua5.3-0 5.3.6-2
ii libnghttp2-14 1.52.0-1+deb12u1
ii libpcre2-8-0 10.42-1
ii libssl3 3.0.13-1~deb12u1
ii libxml2 2.9.14+dfsg-1.3~deb12u1
ii perl 5.36.0-7+deb12u1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages apache2-bin suggests:
ii apache2-doc 2.4.61-1~deb12u1
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.61-1~deb12u1
ii apache2-bin 2.4.61-1~deb12u1
-- Configuration Files:
/etc/apache2/conf-available/security.conf changed [not included]
/etc/apache2/mods-available/ssl.conf changed [not included]
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
/etc/logrotate.d/apache2 changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
