328215 – www-servers/apache-2.2.15 changed in flight to disabling cgi

Bug 328215 - www-servers/apache-2.2.15 changed in flight to disabling cgi

Summary: www-servers/apache-2.2.15 changed in flight to disabling cgi

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-07-14 04:42 UTC by Kevin Bowling
Modified:	2010-07-14 19:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Bowling 2010-07-14 04:42:26 UTC

Somebody committed a change without revbumping Apache that disables mod_cgi by default.

Aside from breaking previously expected behavior, this presents a huge potential for code and password leaks.

Reproducible: Always

Comment 1 Allen Brooker (AllenJB) 2010-07-14 08:40:52 UTC

Why does it need a revision bump? The files installed has not changed. Only the default use flags.

If you're running production servers / code you:
a) Don't keep passwords and other sensitive data under the document root
b) Examine all use flag changes, revision bump or not

How would a revision bump change anything in this scenario? If the admin missed the changes for an update that wasn't a revision bump, why are they going to notice them for a revision bump?

Comment 2 Kevin Bowling 2010-07-14 14:10:13 UTC

A revbump would be sent to testing where things like this can be ironed out.  This was a major in flight feature change and should not have been thrown immediately into the stable stream, if only for the fact to make sure nothing breaks.

The simple solution is to make mod_cgi a default module as it used to be, or provide an appropriate buffer and news item if it is to be disabled by default.

As it stands, this is is a security and information leaking issue regardless of best practice.  Code leaks are unavoidable for some applications as cgi uses the ScriptAlias.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2010-07-14 18:23:23 UTC

This also hit me. It can indeed lead to code or database login leaks, and for me personally, things like this take away a bit of the ease of using gentoo as server (system administration hates changing defaults). :/

Of course one would notice the change before restarting when using etc-update or dispatch-conf, yet it's not nice.

If the apache team wants to keep "-cgi -cgid", I guess an ewarn would be nice.

BTW: where could I track decisions like this, or are they only discussed internally within the apache team?

Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-07-14 18:27:23 UTC

Bug #327327.

Comment 5 Benedikt Böhm (RETIRED) gentoo-dev

2010-07-14 19:10:43 UTC

although i fully agree with comment #1 i have added cgi and cgid to the default use flags because it makes sense to have them as default, not because of security holes opened up by performed upgrades without prior checking what they do.

Comment 6 Kevin Bowling 2010-07-14 19:35:39 UTC

(In reply to comment #5)
> although i fully agree with comment #1 i have added cgi and cgid to the default
> use flags because it makes sense to have them as default, not because of
> security holes opened up by performed upgrades without prior checking what they
> do.
> 

This attitude is wrong and you are preaching to the choir about ideal practices.

The lesson learned should be to not introduce nontrivial changes immediately into stable.  The change, necessary for 389 directory server, could have been queued with a dependency on the unstable revbump where hopefully implications like this would become known with minimal impact.