after upgrade 19.04 to 19.10, apache serves php code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
High
|
Bryce Harrington |
Bug Description
Apache2 has been working as a server on localhost (as well as on an fixed IP when my laptop is at work) for years/many version.
I just upgraded to 19.10 from 19.04, and without receiving any warning during the upgrade, my index.php was rendered as plain text on the server! This was a security breach.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: apache2 (not installed)
ProcVersionSign
Uname: Linux 5.3.0-19-generic x86_64
Apache2ConfdDir
Apache2Modules: Error: command ['pkexec', '/usr/sbin/
ApportVersion: 2.20.11-0ubuntu8.1
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Nov 1 09:52:04 2019
EcryptfsInUse: Yes
InstallationDate: Installed on 2019-01-24 (280 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
SourcePackage: apache2
UpgradeStatus: Upgraded to eoan on 2019-10-31 (0 days ago)
error.log: Error: [Errno 13] Permission denied: '/var/log/
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
Related branches
- Christian Ehrhardt (community): Needs Fixing
- Canonical Server: Pending requested
-
Diff: 253 lines (+172/-5)6 files modifieddebian/changelog (+90/-0)
debian/control (+4/-1)
debian/control.in (+4/-1)
debian/libapache2-mod-php.postinst.extra (+8/-3)
debian/patches/CVE-2019-11048.patch (+65/-0)
debian/patches/series (+1/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Ubuntu Server: Pending requested
-
Diff: 62 lines (+16/-2)3 files modifieddebian/changelog (+8/-0)
debian/control (+4/-1)
debian/control.in (+4/-1)
- Bryce Harrington (community): Needs Information
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 39 lines (+9/-0)3 files modifieddebian/changelog (+7/-0)
debian/control (+1/-0)
debian/control.in (+1/-0)
summary: |
- after upgrade 18.04 to 18.10, apache serves php code + after upgrade 19.04 to 19.10, apache serves php code |
description: | updated |
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Bryce Harrington (bryce) |
tags: | removed: server-triage-discuss |
It seems that something like the following my close the security hole:
`sudo a2enmod php7.3`
`systemctl restart apache2`
In which case, this should have been taken care of during the upgrade? Or when php5 was deleted??