Your message dated Tue, 28 Sep 2004 13:32:06 -0400 with message-id <[EMAIL PROTECTED]> and subject line Bug#227653: fixed in apache2 2.0.52-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 14 Jan 2004 05:26:55 +0000 >From [EMAIL PROTECTED] Tue Jan 13 23:26:55 2004 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] by master.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1AgdYN-0007TE-00; Tue, 13 Jan 2004 23:26:55 -0600 Received: from dragon.kitenet.net (pm3naxs13-142.access.naxs.com [216.98.93.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id 961B018050 for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 05:26:51 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 9CAD06E2D0; Wed, 14 Jan 2004 00:34:07 -0500 (EST) Date: Wed, 14 Jan 2004 00:34:06 -0500 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: suexec is on by default, breaks user cgi scripts if UserDir has changed Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline X-Die-Cursed-Spawn-Of-Satan-Die-Die-Die: suexec X-Reportbug-Version: 2.37 User-Agent: Mutt/1.5.4i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_01_13 (1.212-2003-09-23-exp) on master.debian.org X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_01_13 X-Spam-Level: --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache2-common Version: 2.0.48-4 Severity: normal Read this strace and weep: stat64("/home/joey/html/blog/index.cgi", {st_mode=3DS_IFREG|0755, st_size= =3D1538, ...}) =3D 0 =2E. fork(Process 3822 attached =2E. [pid 3822] execve("/usr/lib/apache2/suexec2", ["/usr/lib/apache2/suexec2",= "~1000", "1000", "index.cgi"], [/* 22 vars*/]) =3D 0 =2E. [pid 3822] getcwd("/home/joey/html/blog", 4096) =3D 21 [pid 3822] chdir("/home/joey") =3D 0 [pid 3822] chdir("public_html") =3D -1 ENOENT (No such file or dire= ctory) [pid 3822] time([1074057876]) =3D 1074057876 [pid 3822] write(3, "[2004-01-14 00:24:36]: cannot ge"..., 67) =3D 67 Note that I have my web server configured as follows: [EMAIL PROTECTED]:/etc/apache2>grep UserDir -r . =2E/mods-enabled/userdir.conf: UserDir html =2E/mods-available/userdir.conf: UserDir html =2E/apache2.conf:UserDir html [EMAIL PROTECTED]:/etc/apache2>grep -i suexec -r . =2E/mods-available/suexec.load:LoadModule suexec_module /usr/lib/apache2/mo= dules/mod_suexec.so [EMAIL PROTECTED]:/etc/apache2>ls mods-enabled/suexec* zsh: no matches found: mods-enabled/suexec* Why is suexec loaded even though it is not linked to mods-enabled? Why does suexec ignore my UserDir setting and try to use a non-existant "public_html" directory? The workaround, as with every suexec problem I have ever filed a bug on (and there have been many): [EMAIL PROTECTED]:/usr/lib/apache2>dpkg-divert --add `pwd`/suexec2 --rename -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux dragon 2.4.24 #1 Thu Jan 8 15:48:32 EST 2004 i686 Locale: LANG=3Den_US, LC_CTYPE=3Den_US Versions of packages apache2-common depends on: ii debconf 1.4.3 Debian configuration managemen= t sy ii debianutils 2.6.1 Miscellaneous utilities specif= ic t ii libapr0 2.0.48-4 The Apache Portable Runtime ii libc6 2.3.2.ds1-10 GNU C Library: Shared librarie= s an ii libdb4.1 4.1.25-10 Berkeley v4.1 Database Librari= es [ ii libexpat1 1.95.6-6 XML parsing C library - runtim= e li ii libldap2 2.1.23-1 OpenLDAP libraries ii libssl0.9.7 0.9.7c-5 SSL shared libraries ii mime-support 3.23-1 MIME files 'mime.types' & 'mai= lcap ii net-tools 1.60-8 The NET-3 networking toolkit ii openssl 0.9.7c-5 Secure Socket Layer (SSL) bina= ry a ii ssl-cert 1.0-6 Simple debconf wrapper for ope= nssl ii zlib1g 1:1.2.1-3 compression library - runtime -- no debconf information --=20 see shy jo --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFABNTOd8HHehbQuO8RAtnPAJ9fTdQ33jxuDn5P6KDY3bac4NE9hQCgqxv1 S/ZOS8swcBSzKxYOLgKWbCI= =Hw2r -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- --------------------------------------- Received: (at 227653-close) by bugs.debian.org; 28 Sep 2004 17:38:27 +0000 >From [EMAIL PROTECTED] Tue Sep 28 10:38:27 2004 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CCLvn-0005Jd-00; Tue, 28 Sep 2004 10:38:27 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CCLpe-0007xt-00; Tue, 28 Sep 2004 13:32:06 -0400 From: Adam Conrad <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.51 $ Subject: Bug#227653: fixed in apache2 2.0.52-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Tue, 28 Sep 2004 13:32:06 -0400 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Source: apache2 Source-Version: 2.0.52-1 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-common_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2-common_2.0.52-1_powerpc.deb apache2-doc_2.0.52-1_all.deb to pool/main/a/apache2/apache2-doc_2.0.52-1_all.deb apache2-mpm-perchild_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2-mpm-perchild_2.0.52-1_powerpc.deb apache2-mpm-prefork_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2-mpm-prefork_2.0.52-1_powerpc.deb apache2-mpm-threadpool_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2-mpm-threadpool_2.0.52-1_powerpc.deb apache2-mpm-worker_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2-mpm-worker_2.0.52-1_powerpc.deb apache2-prefork-dev_2.0.52-1_all.deb to pool/main/a/apache2/apache2-prefork-dev_2.0.52-1_all.deb apache2-threaded-dev_2.0.52-1_all.deb to pool/main/a/apache2/apache2-threaded-dev_2.0.52-1_all.deb apache2_2.0.52-1.diff.gz to pool/main/a/apache2/apache2_2.0.52-1.diff.gz apache2_2.0.52-1.dsc to pool/main/a/apache2/apache2_2.0.52-1.dsc apache2_2.0.52-1_powerpc.deb to pool/main/a/apache2/apache2_2.0.52-1_powerpc.deb apache2_2.0.52.orig.tar.gz to pool/main/a/apache2/apache2_2.0.52.orig.tar.gz libapr0-dev_2.0.52-1_powerpc.deb to pool/main/a/apache2/libapr0-dev_2.0.52-1_powerpc.deb libapr0_2.0.52-1_powerpc.deb to pool/main/a/apache2/libapr0_2.0.52-1_powerpc.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adam Conrad <[EMAIL PROTECTED]> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 28 Sep 2004 10:21:20 -0600 Source: apache2 Binary: apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild Architecture: source all powerpc Version: 2.0.52-1 Distribution: unstable Urgency: high Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Adam Conrad <[EMAIL PROTECTED]> Description: apache2 - Next generation, scalable, extendable web server apache2-common - Next generation, scalable, extendable web server apache2-doc - Documentation for apache2 apache2-mpm-perchild - Experimental High speed perchild threaded model for Apache2 apache2-mpm-prefork - Traditional model for Apache2 apache2-mpm-threadpool - Experimental High speed thread pool model for Apache2 apache2-mpm-worker - High speed threaded model for Apache2 apache2-prefork-dev - Development headers for apache2 apache2-threaded-dev - Development headers for apache2 libapr0 - The Apache Portable Runtime libapr0-dev - Development headers for libapr Closes: 227653 239571 261820 272531 272865 273017 273019 273021 273258 273412 Changes: apache2 (2.0.52-1) unstable; urgency=high . * New upstream bugfix/security release: - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412) * Add '|| true' to a2enmod to stop it from dying when the installed MPM isn't prefork (closes: #273017, #273019, #272865, #273021, #273258) * Touch /var/log/apache2/error.log on new installs to ensure that our log directory isn't removed until the package is purged, so logrotate doesn't complain about its inability to find it (closes: #239571) * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for and enabled when mod_suexec is loaded (closes: #227653) * Use '$APACHE2CTL startssl' consistently in init script to make sure the SSL define doesn't disappear on force-reload (closes: #272531) * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open and manipulate DB_BTREE databases, while still defaulting to creating DB_HASH databases as before. This should clear up incompatibilities with other applications (such as PHP) which default to DB_BTREE. * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool. * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit of munging, to compile a working ab2 with SSL support (closes: #261820) Files: c01ef2dbeb3dd4fee724d7ad094c7acb 1131 net optional apache2_2.0.52-1.dsc 4c0578a0fa70f06763ead1a421e0354a 6909589 net optional apache2_2.0.52.orig.tar.gz 0e33880dd06323e29fabc02d9d2cb8e1 99181 net optional apache2_2.0.52-1.diff.gz a72ad8540188f0a71de78625dea5af1c 3524902 doc optional apache2-doc_2.0.52-1_all.deb d6acc839952ee48ef8839043882b26e6 164418 devel optional apache2-prefork-dev_2.0.52-1_all.deb 953a3612cb2bd62ff9333e8c609de064 165186 devel optional apache2-threaded-dev_2.0.52-1_all.deb 72f8806e55fbe04e83ae0018975e5575 912880 net optional apache2-common_2.0.52-1_powerpc.deb 644639e7928265be6a040ccc64d4983a 222966 net optional apache2-mpm-worker_2.0.52-1_powerpc.deb 4adf0dfc0ddc2bb117090c8aff6aa7d8 31204 net optional apache2-mpm-threadpool_2.0.52-1_powerpc.deb baad0f25dca23ce127142f11ca8a7d05 224172 net optional apache2-mpm-perchild_2.0.52-1_powerpc.deb fdf425383b01b1737b768f2cec7c90cf 218978 net optional apache2-mpm-prefork_2.0.52-1_powerpc.deb 2e81057cf93efc6701b8c0b79fb48749 131396 net optional libapr0_2.0.52-1_powerpc.deb 0afbc63ced9ece79431284a3f3782d77 268958 libdevel optional libapr0-dev_2.0.52-1_powerpc.deb ba8cec0bb989350ce6859ced26561285 30472 web optional apache2_2.0.52-1_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBWZ51vjztR8bOoMkRAu7JAJ92J5Si3OM48YYd42vFBhbjGLCoJgCgsCes 2kuWT1CsDSrjdSchJbwb93E= =CEd/ -----END PGP SIGNATURE-----