forked from pool/apache2
7a70b52ac1
- Update to 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1227353]
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue.
- Update to 2.4.60
*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org) [boo#1227271]
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows an attacker to cause unsafe RewriteRules to
unexpectedly setup URL's to be handled by mod_proxy.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org) [boo#1227270]
null pointer dereference in mod_proxy in Apache HTTP Server
2.4.59 and earlier allows an attacker to crash the server via a
malicious request.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org) [boo#1227269]
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches
filesystem path. (cve.mitre.org) [boo#1227268]
Improper escaping of output in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows an attacker to map URLs to filesystem
locations that are permitted to be served by the server but are
not intentionally/directly reachable by any URL, resulting in
code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
encoded question marks in backreferences (cve.mitre.org)
[boo#1227278]
Substitution encoding issue in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly
reachable by any URL or source disclosure of scripts meant to
only to be executed as CGI.
Note: Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org) [boo#1227276]
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
earlier allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via
crafted requests.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
(cve.mitre.org) [boo#1227267]
SSRF in Apache HTTP Server on Windows allows to potentially leak
NTML hashes to a malicious server via SSRF and malicious
requests or content
Note: Existing configurations that access UNC paths
will have to configure new directive "UNCList" to allow access
during request processing.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org) [boo#1227272]
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
OBS-URL: https://build.opensuse.org/request/show/1185778
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=704
266 lines
8.5 KiB
Plaintext
266 lines
8.5 KiB
Plaintext
## Path: Network/WWW/Apache2
|
|
## Description: Configuration for Apache 2
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceRestart: apache2
|
|
#
|
|
# Here you can name files, separated by spaces, that should be Include'd from
|
|
# httpd.conf.
|
|
#
|
|
# This allows you to add e.g. VirtualHost statements without touching
|
|
# /etc/apache2/httpd.conf itself, which makes upgrading easier.
|
|
#
|
|
APACHE_CONF_INCLUDE_FILES=""
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceRestart: apache2
|
|
#
|
|
# Here you can name directories, separated by spaces, that should be Include'd
|
|
# from httpd.conf.
|
|
#
|
|
# All files contained in these directories will be recursively included by apache.
|
|
# If a pattern like *.conf is appended, apache will use it.
|
|
#
|
|
# Examples: "/etc/apache2/my_conf/"
|
|
# "/etc/apache2/virtual_hosts/*.conf"
|
|
# "local/*.conf /srv/www/virtual/"
|
|
#
|
|
APACHE_CONF_INCLUDE_DIRS=""
|
|
|
|
## Type: string
|
|
## Default: "actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"
|
|
## ServiceRestart: apache2
|
|
#
|
|
# [It might look silly to not simply edit httpd.conf for the LoadModule statements.
|
|
# However, since the LoadModule statements might need an absolute path to the modules,
|
|
# switching between MPMs can be quite a hassle. It's easier to just give the names here.]
|
|
#
|
|
# * list of all modules shipped with the base distribution:
|
|
# see /usr/lib64/apache2-$MPM
|
|
# see http://httpd.apache.org/docs/2.4/mod/ !
|
|
#
|
|
# * It pays to use IfDefine statements... like
|
|
# <IfModule mod_xyz.c>
|
|
# ....
|
|
# </IfModule>
|
|
#
|
|
# * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax.
|
|
# You may also name an absolute path if you like.
|
|
#
|
|
# * NOTES ON SSL:
|
|
# 1. Before you can use mod_ssl, you need a server certificate.
|
|
# A test certificate can be created by entering e. g.
|
|
#
|
|
# $ gensslcert -n a.com
|
|
#
|
|
# See gensslcert -h for or gensslcert script itself for details.
|
|
# 2. Also, you need to set the ServerName inside the <VirtualHost _default_:443>
|
|
# block to the fully qualified domain name (see /etc/HOSTNAME).
|
|
# 3. If your server certificate is protected by a passphrase you should increase the
|
|
# APACHE_START_TIMEOUT (see above)
|
|
# 4. Consider to load also socache_shmcb module, see
|
|
# http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessioncache
|
|
# for details.
|
|
# 5. To finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS
|
|
# below.
|
|
#
|
|
# * modules listed here will be ignored if they are not installed
|
|
#
|
|
#
|
|
# EXAMPLES:
|
|
#
|
|
# fairly minimal
|
|
# APACHE_MODULES="authz_host alias auth dir log_config mime setenvif"
|
|
#
|
|
# apache's default installation
|
|
# APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir"
|
|
# your settings
|
|
APACHE_MODULES="actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"
|
|
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceRestart: apache2
|
|
#
|
|
# Additional server flags:
|
|
#
|
|
# Put here any server flags ("Defines") that you want to hand over to
|
|
# httpd at start time, or other command line flags.
|
|
#
|
|
# Background: Any directives within an <IfDefine flag>...</IfDefine>
|
|
# section are only processed if the flag is defined.
|
|
# This allows to write configuration which is active only in a
|
|
# special cases, like during server maintenance, or for testing
|
|
# something temporarily.
|
|
#
|
|
# Notably, to enable ssl support, 'SSL' needs to be added here.
|
|
#
|
|
# It does not matter if you write flag1, -D flag1 or -Dflag1.
|
|
# Multiple flags can be given as "-D flag1 -D flag2" or simply "flag1 flag2".
|
|
#
|
|
# Specifying such flags here is equivalent to giving them on the commandline.
|
|
# (e.g. via rcapache2 start -DReverseProxy)
|
|
#
|
|
# Example:
|
|
# "SSL HTTP2 AWSTATS SVN_VIEWCVS no_subversion_today"
|
|
#
|
|
APACHE_SERVER_FLAGS=""
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceRestart: apache2
|
|
#
|
|
# Which config file do you want to use?
|
|
# (if not set, /etc/apache2/httpd.conf is used.)
|
|
# It is unusual to need to use this setting.
|
|
#
|
|
APACHE_HTTPD_CONF=""
|
|
|
|
## Type: list(prefork,worker,event,itk)
|
|
## Default: ""
|
|
## ServiceRestart: apache2
|
|
#
|
|
# MPM (multi-processing module) to use.
|
|
#
|
|
# Needed to determine with which MPM apache will run (when run
|
|
# via systemd service).
|
|
#
|
|
APACHE_MPM=""
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceReload: apache2
|
|
#
|
|
# email address of the server administrator (ServerAdmin directive)
|
|
# This address is added to the server's responses if APACHE_SERVERSIGNATURE
|
|
# is set to "email".
|
|
#
|
|
# If empty ("") it defaults to webmaster@$FQHOSTNAME, where FQHOSTNAME is
|
|
# taken from /etc/HOSTNAME.
|
|
#
|
|
# Note that ServerAdmin directives inside VirtualHost statements are not
|
|
# changed, even not the one in the stock SSL virtual host block.
|
|
#
|
|
APACHE_SERVERADMIN=""
|
|
|
|
## Type: string
|
|
## Default: ""
|
|
## ServiceReload: apache2
|
|
#
|
|
# ServerName gives the name and port that the server uses to identify itself.
|
|
# This can often be determined automatically, but we recommend you specify
|
|
# it explicitly to prevent problems during startup.
|
|
#
|
|
# If this is not set to valid DNS name for your host, server-generated
|
|
# redirections will not work. See also the UseCanonicalName directive.
|
|
#
|
|
# If your host doesn't have a registered DNS name, enter its IP address here.
|
|
# You will have to access it by its address anyway, and this will make
|
|
# redirections work in a sensible way.
|
|
#
|
|
APACHE_SERVERNAME=""
|
|
|
|
## Type: integer
|
|
## Default: 2
|
|
#
|
|
# timeout during server startup (seconds)
|
|
# after this time, the start script decides wether the httpd process started without error.
|
|
#
|
|
# Increase it, if you use mod_ssl and your certificate is passphrase protected!
|
|
#
|
|
APACHE_START_TIMEOUT="2"
|
|
|
|
## Type: list(on,off,email)
|
|
## Default: "on"
|
|
## ServiceReload: apache2
|
|
#
|
|
# Configures the footer on server-generated documents
|
|
# This correlates to the ServerSignature directive.
|
|
#
|
|
APACHE_SERVERSIGNATURE="off"
|
|
|
|
## Type: list(debug,info,notice,warn,error,crit,alert,emerg)
|
|
## Default: "warn"
|
|
## ServiceReload: apache2
|
|
#
|
|
# LogLevel: Control the number of messages logged to the error_log.
|
|
#
|
|
APACHE_LOGLEVEL="warn"
|
|
|
|
## Type: string
|
|
## Default: "/var/log/apache2/access_log combined"
|
|
## ServiceRestart: apache2
|
|
#
|
|
# The location and format of the access logfile (Common Logfile Format).
|
|
# If you do not define any access logfiles within a <VirtualHost>
|
|
# container, they will be logged here. Contrarywise, if you *do*
|
|
# define per-<VirtualHost> access logfiles, transactions will be
|
|
# logged therein and *not* in this file.
|
|
#
|
|
# Simply set it to empty, if you configure it yourself somewhere else.
|
|
#
|
|
# Examples:
|
|
#
|
|
# If you would like to have agent and referer logfiles:
|
|
#
|
|
# setting it to "/var/log/apache2/referer_log referer, /var/log/apache2/agent_log agent"
|
|
# corresponds to
|
|
# CustomLog /var/log/apache2/referer_log referer
|
|
# CustomLog /var/log/apache2/agent_log agent
|
|
#
|
|
# If you prefer a single logfile with access, agent, and referer information
|
|
# (Combined Logfile Format):
|
|
#
|
|
# setting it to "/var/log/apache2/access_log combined"
|
|
# corresponds to
|
|
# CustomLog /var/log/apache2/access_log combined
|
|
#
|
|
APACHE_ACCESS_LOG="/var/log/apache2/access_log combined"
|
|
|
|
## Type: list(On,Off,DNS)
|
|
## Default: "Off"
|
|
## ServiceReload: apache2
|
|
#
|
|
# UseCanonicalName: Determines how Apache constructs self-referencing
|
|
# URLs and the SERVER_NAME and SERVER_PORT variables.
|
|
# When set "Off", Apache will use the Hostname and Port supplied
|
|
# by the client. When set "On", Apache will use the value of the
|
|
# ServerName directive.
|
|
#
|
|
APACHE_USE_CANONICAL_NAME="off"
|
|
|
|
## Type: list(Major,Minor,Minimal,ProductOnly,OS,Full)
|
|
## Default: "OS"
|
|
## ServiceReload: apache2
|
|
#
|
|
# How much information the server response header field contains about the server.
|
|
# (installed modules, versions, etc.)
|
|
# see http://httpd.apache.org/docs/2.4/mod/core.html#servertokens
|
|
#
|
|
APACHE_SERVERTOKENS="ProductOnly"
|
|
|
|
## Type: list(on,off)
|
|
## Default: "off"
|
|
## ServiceReload: apache2
|
|
#
|
|
# Enable or disable TRACE method.
|
|
#
|
|
APACHE_TRACEENABLE="off"
|
|
|
|
## Type: list(on,off,lua)
|
|
## Default: "off"
|
|
## ServiceReload: apache2
|
|
#
|
|
# If mod_status is used, include extended information about the server, like
|
|
# CPU usage, in the status report. It is a server-wide setting, and it can cost
|
|
# some performance!
|
|
#
|
|
# Server status GUI written in lua (see https://www.apache.org/server-status
|
|
# for an example) requires both mod_status and mod_lua to be loaded.
|
|
#
|
|
APACHE_EXTENDED_STATUS="off"
|
|
|
|
|