Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. Thanks. Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache webse ii debconf 1.4.30.10Debian configuration management sy ii dpkg1.10.25 Package maintenance system for Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libdb4.24.2.52-17Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libmagic1 4.12-1 File type determination library us ii logrotate 3.7-2Log rotation utility ii mime-support3.28-1 MIME files 'mime.types' & 'mailcap ii perl5.8.4-3 Larry Wall's Practical Extraction -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: [EMAIL PROTECTED] apache/server-name: localhost * apache/enable-suexec: false -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpzkgVkL4mfq.pgp Description: PGP signature
Bug#286683: Please proxy_* adding LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
Package: apache2 Version: 2.0.52-3 Severity: wishlist Hi. I want /etc/apache2/mods-available/proxy_* files adding LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
Bug#286604: apache using large amounts of CPU
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 severity 286604 important reassign 286604 php4 thanks PaulWB wrote: | | | package: apache | version: 1.3.33-2 | severity: critical | | | A module or package has been upgraded recently and is creating large | problems for apache if a module has been upgraded that creates problems for apache, it is not an apache fault. | | Process 10487 attached - interrupt to quit | --- SIGALRM (Alarm clock) @ 0 (0) --- | sigreturn() = ? (mask now []) | --- SIGPROF (Profiling timer expired) @ 0 (0) --- | setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={240, 0}}, NULL) = 0 | rt_sigaction(SIGPROF, {0xb7708830, [PROF], SA_RESTART}, {0xb7708830, | [PROF], SA_RESTART}, 8) = 0 | rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 | mmap2(NULL, 2097152, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, | -1, 0) = 0xb7249000 | munmap(0xb7249000, 749568) = 0 | munmap(0xb740, 299008) = 0 | mprotect(0xb730, 135168, PROT_READ|PROT_WRITE) = 0 | open("/local/logs/php", O_WRONLY|O_APPEND|O_CREAT, 0666) = 7 | fstat64(7, {st_mode=S_IFREG|0777, st_size=58064679, ...}) = 0 | mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, | 0) = 0xb7448000 | fstat64(7, {st_mode=S_IFREG|0777, st_size=58064679, ...}) = 0 | _llseek(7, 58064679, [58064679], SEEK_SET) = 0 | time([1103599287]) = 1103599287 | write(7, "[21-Dec-2004 14:21:27] PHP Fatal"..., 142) = 142 This call looks very suspicious.. why should it be Fatal? | close(7)= 0 | munmap(0xb7448000, 4096)= 0 | chdir("/") = 0 | futex(0xb7e76620, FUTEX_WAIT, 2, NULL | | Fabio - -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBx7snhCzbekR3nhgRAvgyAKCd9fzoYhAHrqqVfgvsZkp2q/LwQgCffhfB hNZlnREWiF3OfulzmG4NV54= =pxhD -END PGP SIGNATURE-
Processed: Re: Bug#286604: apache using large amounts of CPU
Processing commands for [EMAIL PROTECTED]: > severity 286604 important Bug#286604: apache using large amounts of CPU Severity set to `important'. > reassign 286604 php4 Bug#286604: apache using large amounts of CPU Bug reassigned from package `apache' to `php4'. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)