/etc/apache2/mods-available/suexec.load has group read

Bug #872000 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description

$ ls -l /etc/apache2/mods-available/suexec.load
-rw-rw-r-- 1 root root 64 2011-09-06 13:38 /etc/apache2/mods-available/suexec.load

While this is not security-relevant, it is also not desirable. What happened is that the default umask changed fro 0002 to 0022 in 11.10 (https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002). While debian/rules does use dh_fixperms, it is using 'dh_fixperms -Xsuexec' which excludes /etc/apache2/mods-available/suexec.load. The package should use:
        dh_fixperms -Xsuexec
        chmod go-wx debian/apache2.2-common/etc/apache2/mods-available/suexec.load

CVE References

Changed in apache2 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.21-2ubuntu1

apache2 (2.2.21-2ubuntu1) precise; urgency=low

  * Merge from debian unstable. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

apache2 (2.2.21-2) unstable; urgency=high

  * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
    reverse proxy configurations by strictly validating the request-URI.
  * Correctly set permissions of suexec.load even if umask is 0002 during
    build. LP: #872000

apache2 (2.2.21-1) unstable; urgency=low

  * New upstream release.
    - Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
      if combined with mod_proxy_balancer
 -- Chuck Short <email address hidden> Fri, 14 Oct 2011 16:01:29 +0000

Changed in apache2 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers