| Summary: | www-servers/apache-2.2.21 optional patches to config files re default configs, security | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Steve Dibb (RETIRED) <beandog> |
| Component: | New packages | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | idl0r, pva |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: |
changes to document default settings
add IgnoreClient to defaults for IndexOptions |
||
Created attachment 289811 [details, diff]
add IgnoreClient to defaults for IndexOptions
I wanted to add, these patches are to be applied to pva's rolled tarball of configuration files. Thank you for these additions, Steve! Do you think it's worth to provide default settings uncommented? I'd better documented them and kept commented. Also I'd like to avoid IgnoreClient in IndexOptions - looks like better workaround will be to depend on >=apr-1.4.5. Thank you for pointing on this vulnerability, btw. (In reply to comment #3) > Thank you for these additions, Steve! Do you think it's worth to provide > default settings uncommented? I'd better documented them and kept commented. I prefer keeping the style consistent, where Apache already has the options, with it's defaults uncommented. The reason being that, if they were commented out, it may give the impression that they are not being used, or set, when they are already set by default, and we are just displaying what it is set to. > Also I'd like to avoid IgnoreClient in IndexOptions - looks like better > workaround will be to depend on >=apr-1.4.5. Thank you for pointing on this > vulnerability, btw. That's fine, I don't feel strongly about it either way, but I might suggest it'd be good to have if we are going to keep older versions. Looks good to me Steve. Thank you for report. These defaults were added in 2.2.21-r1. Dependency on >=apr-1.4.5 is there too. |
Created attachment 289809 [details, diff] changes to document default settings I'm submitting two patches that I think should be added to our default Apache configuration files. Here's the changes, and my reasons for suggesting them: First, 00_default_settings.conf.patch * EnableMMAP and EnableSendfile default to 'On' I think the documentation by default is confusing, as it is commented out and defaulting to 'off'. It's not clear from reading that, that it is actually set to 'On' by default, by upstream. * Add FileEtag documentation I included a small snippet from upstream's docs regarding the module, as well as the default configuration. This makes it easier for users to enable/disable. * Add ContentDigest documentation Again, like FileEtag, just some documentation plus the default setting by upstream. Second, 00_mod_autoindex.conf.patch * Add 'IgnoreClient' to default settings for 'IndexOptions' for security purposes See the documentation I added to the config file. It's a workaround for upstream's 2.2.19 security release, and I went ahead and added it by default.