Package: apache2.2-common Version: 2.2.14-3 Severity: normal In Debian's default configuration, Apache's mod_mime sets Content-Type to application/x-gzip if a file has a .gz extension. This behavior is configured in /etc/apache2/mods_available/mime.conf: AddType application/x-gzip .gz .tgz
The .gz extension is recognized not only at the end but also in the middle of a file name. If a file is named e.g. data.tar.gz.gpg, the content type "application/x-gzip" is however very incorrect. The file is a PGP signature of arbitrary data, not a further compressed or encrypted GZip file. In /etc/apache2/mods_available/mime.conf, the following setting is also suggested but commented out by default: #AddEncoding x-gzip .gz .tgz If this setting is uncommented, an incorrect Content-Encoding header is added in a similar way to Content-Type. Apparently some HTTP clients and/or proxies attempt to automatically gunzip such responses, which obviously fails in the case presented above. This is probably what happened with Ubuntu's package repositories, when systems using a proxy (specifically apt-cacher) failed to upgrade. See https://bugs.launchpad.net/ubuntu/+bug/245219 for more information. A work-around for the .tar.gz.gpg case is to add an AddType application/pgp-signature .gpg directive and disable the AddEncoding directive for .gz. The behavior of mod_mime with regard to multiple file extensions is described here: http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext I disagree with the principle of matching a non-final extension even when unknown extensions follow. -- Package-specific info: List of enabled modules from 'apache2 -M': alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgid deflate dir env mime negotiation setenvif status userdir wsgi -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.14-3 utility programs for webservers ii apache2.2-bin 2.2.14-3 Apache HTTP Server common binary f ii libmagic1 5.03-3 File type determination library us ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip ii mime-support 3.47-1 MIME files 'mime.types' & 'mailcap ii perl 5.10.1-8 Larry Wall's Practical Extraction ii procps 1:3.2.8-2 /proc file system utilities Versions of packages apache2.2-common recommends: ii ssl-cert 1.0.25 simple debconf wrapper for OpenSSL Versions of packages apache2.2-common suggests: pn apache2-doc <none> (no description available) pn apache2-suexec | apache2-suex <none> (no description available) pn www-browser <none> (no description available) Versions of packages apache2.2-common is related to: pn apache2-mpm-event <none> (no description available) pn apache2-mpm-itk <none> (no description available) pn apache2-mpm-prefork <none> (no description available) ii apache2-mpm-worker 2.2.14-3 Apache HTTP Server - high speed th -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
