diff options
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/config-dir/conf.d/security | 13 |
2 files changed, 8 insertions, 10 deletions
diff --git a/debian/changelog b/debian/changelog index 7241bd7c..a3089827 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,11 +12,6 @@ apache2 (2.2.9-3) UNRELEASED; urgency=low - Add ssl-cert to Recommends. * Add a new config file /etc/apache2/conf.d/security with some vaguely security related diectives. (Closes: #260063) - * Disable access to the root directory / by default (closes: #341022). - If you use Aliases or Symlinks that point to directories outside the - DocumentRoot, you need to explicitly allow access to those directories - (Or you can revert to the old behaviour by commenting out the - <Directory /> block in /etc/apache2/conf.d/security . * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the home directories. * Disable SSLv2 by default. It is insecure. Also only enable ciphers with diff --git a/debian/config-dir/conf.d/security b/debian/config-dir/conf.d/security index a83920a1..58c8d7e9 100644 --- a/debian/config-dir/conf.d/security +++ b/debian/config-dir/conf.d/security @@ -2,11 +2,14 @@ # Disable access to the entire file system except for the directories that # are explicitly allowed later. # -<Directory /> - AllowOverride None - Order Deny,Allow - Deny from all -</Directory> +# This currently breaks the configurations that come with some web application +# Debian packages. It will be made the default for the release after lenny. +# +#<Directory /> +# AllowOverride None +# Order Deny,Allow +# Deny from all +#</Directory> # Changing the following options will not really affect the security of the |