commit: a63ce98a6297bf371488c26c034dc22f6d8877b9 Author: Sebastian Pipping <sebastian <AT> pipping <DOT> org> AuthorDate: Mon Apr 6 12:51:19 2015 +0000 Commit: Sebastian Pipping <sping <AT> gentoo <DOT> org> CommitDate: Mon Apr 6 12:51:31 2015 +0000 URL: https://gitweb.gentoo.org/proj/gentoo-news.git/commit/?id=a63ce98a
Improve news item "Apache AddHandler/AddType vulnerability protection" .../2015-04-06-apache-addhandler-addtype.en.txt | 12 ++++++++---- .../2015-04-06-apache-addhandler-addtype.en.txt.asc | 6 +++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt index d7d58af..f90d091 100644 --- a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt +++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt @@ -1,8 +1,8 @@ -Title: Apache AddHandler/AddType vulnerability protection +Title: Apache AddHandler/AddType exploit protection Author: Sebastian Pipping <[email protected]> Content-Type: text/plain Posted: 2015-04-06 -Revision: 1 +Revision: 2 News-Item-Format: 1.0 Display-If-Installed: www-servers/apache @@ -22,7 +22,7 @@ index.php.png is not executed, but index.php.disabled still is. Apache's notes on multiple file extensions [3] document a multi-language website as a context where that behavior -may be helpful. Unfortunately, it can be a security threat. +may be helpful. Unfortunately, it can also be a security threat. Combined with (not just PHP) applications that support file upload, the AddHandler/AddType directive can get you into @@ -43,6 +43,10 @@ Why this news entry? * Since Apache configuration lives below /etc, you need to run etc-update (or a substitute) to actually have related fixes applied. + To get them into the running instance of Apache, + you need to make it reload its configuration, e.g. + + sudo /etc/init.d/apache2 reload * If you are currently relying on AddHandler to execute secret_database_stuff.php.inc, moving away from AddHandler @@ -71,7 +75,7 @@ Why this news entry? #RewriteRule .* - [R=404,L] </FilesMatch> - * You may be using AddHandler or AddType at other places, + * You may be using AddHandler or AddType in other places, including off-package files. Please have a look. * app-eselect/eselect-php is not the only package affected. diff --git a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc index 6009404..24ff156 100644 --- a/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc +++ b/2015/2015-04-06-apache-addhandler-addtype/2015-04-06-apache-addhandler-addtype.en.txt.asc @@ -1,7 +1,7 @@ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 -iEYEABECAAYFAlUhwHwACgkQsAvGakAaFgCENgCZAYxX6GOQsU+k50P2r1SWIRQp -mmwAoKGcmcQVTM9uBTNp+s0cU2lByHPT -=uDRW +iEYEABECAAYFAlUigTAACgkQsAvGakAaFgCjYgCgolN2sUZAffYDBcPQ5tQ/nJJH +vOUAn2VaVIeKYOcmlQV8hct2IhL4ZfMC +=/vsQ -----END PGP SIGNATURE-----
