link in default index.html should be HTTPS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Debian) |
New
|
Unknown
|
|||
apache2 (Ubuntu) |
Fix Released
|
Low
|
Bryce Harrington |
Bug Description
Hi folks,
When running the Hardenize (https:/
To reproduce
* Start with a base install of ubuntu server
* run the following commands:
sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2
* optionally set up SSL
* browse to http(s)://<your server IP or hostname>
* hover over the link on public_html & observe it begins with http://
All the best,
Chris 8-)
Related branches
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 3212 lines (+2410/-62)16 files modifieddebian/apache2-bin.install (+1/-0)
debian/apache2-utils.ufw.profile (+14/-0)
debian/apache2.dirs (+1/-0)
debian/apache2.install (+1/-0)
debian/apache2.postrm (+2/-0)
debian/apache2.py (+48/-0)
debian/changelog (+2230/-2)
debian/config-dir/mods-available/setenvif.conf (+2/-0)
debian/control (+5/-3)
debian/debhelper/apache2-maintscript-helper (+4/-0)
debian/index.html (+52/-57)
debian/patches/fix-dolphin-to-delete-webdav-dirs.patch (+16/-0)
debian/patches/series (+1/-0)
debian/source/include-binaries (+1/-0)
debian/tests/check-ubuntu-branding (+28/-0)
debian/tests/control (+4/-0)
CVE References
Changed in apache2 (Debian): | |
status: | Unknown → New |
Hello and thanks for this bug report. There is indeed a plan http link in the default index.html:
<a href="http:// httpd.apache. org/docs/ 2.4/mod/ mod_userdir. html" rel="nofollow" >public_ html</a>
I doubt this is going to be an issue in any practical way, so I don't think we're going to deviate from Debian in order to fix this in Ubuntu: the extra maintenance effort is not justified. The right place to fix this is in the Debian packaging, and I see you already filed a Debian bug.
If you feel so inclined, you could submit a MR on salsa (the Debian GitLab) that updates these links:
https:/ /salsa. debian. org/apache- team/apache2/ -/blob/ 87fb3dac24ae682 fb15182c2ab1dc7 e717ded818/ debian/ index.html# L329
https:/ /salsa. debian. org/apache- team/apache2/ -/blob/ 87fb3dac24ae682 fb15182c2ab1dc7 e717ded818/ debian/ index.html# L350
Eventually Ubuntu will pick up the fix.