forked from pool/apache2
9ac936a203
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
[boo#1228098]
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1228097]
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=706
56 lines
1.5 KiB
Plaintext
56 lines
1.5 KiB
Plaintext
#
|
|
# UserDir: The name of the directory that is appended onto a user's home
|
|
# directory if a ~user request is received.
|
|
#
|
|
|
|
<IfModule mod_userdir.c>
|
|
# Note that the name of the user directory ("public_html") cannot easily be
|
|
# changed here, since it is a compile time setting. The apache package
|
|
# would have to be rebuilt. You could work around by deleting
|
|
# /usr/sbin/suexec, but then all scripts from the directories would be
|
|
# executed with the UID of the webserver.
|
|
#
|
|
# To rebuild apache with another setting you need to change the
|
|
# %userdir define in the spec file.
|
|
|
|
# not every user's directory should be visible:
|
|
UserDir disabled root
|
|
|
|
# to enable UserDir only for a certain set of users, use this instead:
|
|
#UserDir disabled
|
|
#UserDir enabled user1 user2
|
|
|
|
|
|
# the UserDir directive is actually used inside the virtual hosts, to
|
|
# have more control
|
|
#UserDir public_html
|
|
|
|
<Directory /home/*/public_html>
|
|
|
|
AllowOverride FileInfo AuthConfig Limit Indexes
|
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
|
|
|
|
<Limit GET POST OPTIONS PROPFIND>
|
|
<IfModule !mod_access_compat.c>
|
|
Require all granted
|
|
</IfModule>
|
|
<IfModule mod_access_compat.c>
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfModule>
|
|
</Limit>
|
|
|
|
<LimitExcept GET POST OPTIONS PROPFIND>
|
|
<IfModule !mod_access_compat.c>
|
|
Require all denied
|
|
</IfModule>
|
|
<IfModule mod_access_compat.c>
|
|
Order deny,allow
|
|
Deny from all
|
|
</IfModule>
|
|
</LimitExcept>
|
|
|
|
</Directory>
|
|
|
|
</IfModule>
|