[gentoo-dev] Apache security hole and ebuild

[gentoo-dev] Apache security hole and ebuild

[Kim Nielsen]

Hi,

I have a production site and have problems with the apache ebuild

its version 1.3.24-r6 and this is what I get:

fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf
fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf
fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf

Could someone please fix this and patch the security hole while they are
at it ?

I have tried the #gentoo-dev channel but was not allowed to write .. so
here goes!

/Kim
-- 
I am the face that stares at you from the shadows.
                         http://www.insecurity.dk

Re: [gentoo-dev] Apache security hole and ebuild

[Sloan Poe]

[-- Attachment #1: Type: text/plain, Size: 1467 bytes --]

it seems that at some point.. someone changed the way apache was
installed.. I just upgraded and now I'm not sure what's supposed to be
what.. 

The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to
/var/www/htdocs ??

also it seems that the configuration moved from /etc/httpd to
/etc/apache


Could someone please clarify all the changes that got made here

thanks

Sloan...


On Wed, 2002-06-19 at 07:05, Kim Nielsen wrote:
> Hi,
> 
> I have a production site and have problems with the apache ebuild
> 
> its version 1.3.24-r6 and this is what I get:
> 
> fopen: No such file or directory
> apache: could not open document config file /usr/conf/apache.conf
> fopen: No such file or directory
> apache: could not open document config file /usr/conf/apache.conf
> fopen: No such file or directory
> apache: could not open document config file /usr/conf/apache.conf
> 
> Could someone please fix this and patch the security hole while they are
> at it ?
> 
> I have tried the #gentoo-dev channel but was not allowed to write .. so
> here goes!
> 
> /Kim
> -- 
> I am the face that stares at you from the shadows.
>                          http://www.insecurity.dk
> 
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
-- 

Sloan Poe
rpoe@warren-wilson.edu

If I'm insane, who are you in?


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Apache security hole and ebuild

[Grant Goodyear]

[-- Attachment #1: Type: text/plain, Size: 537 bytes --]

> it seems that at some point.. someone changed the way apache was
> installed.. I just upgraded and now I'm not sure what's supposed to be
> what.. 
> 
> The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to
> /var/www/htdocs ??
> 
> also it seems that the configuration moved from /etc/httpd to
> /etc/apache
> 
> 
> Could someone please clarify all the changes that got made here

Actually, all of the changes are documented.  Take a look
at /usr/portage/net-www/apache/ChangeLog.

-g2boojum- 



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Apache security hole and ebuild

[Doug Goldstein]

http://bugs.gentoo.org/show_bug.cgi?id=3879 addresses a similar situation 
following the steps listed there should get you going. Please also note that 
you shouldn't just blindly upgrade on a production server, read the 
ChangeLog's prior to doing that.

-Doug

On Wednesday 19 June 2002 09:44 am, Grant Goodyear wrote:
> > it seems that at some point.. someone changed the way apache was
> > installed.. I just upgraded and now I'm not sure what's supposed to be
> > what..
> >
> > The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to
> > /var/www/htdocs ??
> >
> > also it seems that the configuration moved from /etc/httpd to
> > /etc/apache
> >
> >
> > Could someone please clarify all the changes that got made here
>
> Actually, all of the changes are documented.  Take a look
> at /usr/portage/net-www/apache/ChangeLog.
>
> -g2boojum-

Re: [gentoo-dev] Apache security hole and ebuild

[Kim Nielsen]

On Wed, 2002-06-19 at 20:37, Doug Goldstein wrote:
> http://bugs.gentoo.org/show_bug.cgi?id=3879 addresses a similar situation 
> following the steps listed there should get you going. Please also note that 
> you shouldn't just blindly upgrade on a production server, read the 
> ChangeLog's prior to doing that.


I know that I should not blindly and I'm not .. I'm still running the
httpd ebuild and wanted to change to the apache.ebuild .. so by
installing apache and testing does not stop the other service

/Kim
-- 
I'm the face that stares at you from the shadows.
                        http://www.insecurity.dk

Re: [gentoo-dev] Apache security hole and ebuild

[Bjarke Sørensen]

On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote:

> > The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to
> > /var/www/htdocs ??
> > also it seems that the configuration moved from /etc/httpd to
> > /etc/apache
> > Could someone please clarify all the changes that got made here
> Actually, all of the changes are documented.  Take a look
> at /usr/portage/net-www/apache/ChangeLog.

Ohh, yeah.

o the config files are now in /etc/apache/conf, conveniently organized
  into separate directories for addon-modules and vhosts.  this simplifies
  things for everybody and especially for those with complicated/large sites.

Just not when you already worked arround this and have this
"complicated/large site". Sorry I missed the announce that something
vital was done to apache. Good thing I havn't blindly upgraded.

I think I hold back till things about apache settles..

Too many people have problems with it. But maybe we all expected
something more than a note in a changelog for such a change.


-- 
| Bjarke Sørensen  /  9000.WASD 
|
|  There are 10 types of people in this world:
|  Those who understand binary, and those who don't.

Re: [gentoo-dev] Apache security hole and ebuild

[Wout Mertens]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN, Size: 1108 bytes --]

Hey Bjarke,

On Thu, 20 Jun 2002, Bjarke [iso-8859-1] Sørensen wrote:

> On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote:
> > Actually, all of the changes are documented.  Take a look
> > at /usr/portage/net-www/apache/ChangeLog.
>
> Ohh, yeah.
>
> Just not when you already worked arround this and have this
> "complicated/large site". Sorry I missed the announce that something
> vital was done to apache. Good thing I havn't blindly upgraded.

Which is very good, as a "complicated/large site"-admin, you need to test
things before you make them happen. If you tweak stuff in a package, you
can expect it to break updates...

> Too many people have problems with it. But maybe we all expected
> something more than a note in a changelog for such a change.

But that is exactly what Changelog is for, notifying the user about what
changed. Although I admit it doesn't have a lot of visibility, we might
want to do something about that, like an option on emerge that shows the
changelogs since your version...

If you have other ideas, please tell us.

Wout.

Re: [gentoo-dev] Apache security hole and ebuild

[Bjarke Sørensen]

On Thu, Jun 20, 2002 at 01:46:59PM +0200, Wout Mertens wrote:
> > On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote:
> > > Actually, all of the changes are documented.  Take a look
> > > at /usr/portage/net-www/apache/ChangeLog.
> > Just not when you already worked arround this and have this
> > "complicated/large site". Sorry I missed the announce that something
> > vital was done to apache. Good thing I havn't blindly upgraded.
> Which is very good, as a "complicated/large site"-admin, you need to test
> things before you make them happen. If you tweak stuff in a package, you
> can expect it to break updates...

If the layout and placing of files hadn't been changed I could just
have upgraded.
Don't get me wrong I think the update was needed to make some sense
and enable some default security (not running as nobody).


> > Too many people have problems with it. But maybe we all expected
> > something more than a note in a changelog for such a change.
> But that is exactly what Changelog is for, notifying the user about what
> changed. Although I admit it doesn't have a lot of visibility, we might
> want to do something about that, like an option on emerge that shows the
> changelogs since your version...
> If you have other ideas, please tell us.

Maybe some verbosity in this direction could be implemented in emerge
then?

Like:

gugi root # emerge mutt --pretend

These are the packages that I would merge, in order.

Calculating dependencies ...done!
[ebuild   U  ] net-mail/mutt-1.4 to /


gugi root # emerge mutt --verbose --pretend

These are the packages that I would merge, in order.

Calculating dependencies ...done!
[ebuild   U  ] net-mail/mutt-1.4 to /
        29 Apr 2002; Ryan Phillips <rphillips@gentoo.org> mutt-1.4.ebuild :

          new version

gugi root #

That would be nice.
-- 
| Bjarke Sørensen  /  9000.WASD 
|
|  There are 10 types of people in this world:
|  Those who understand binary, and those who don't.

Re: [gentoo-dev] Apache security hole and ebuild

[Jean-Michel Smith]

On Thursday 20 June 2002 06:46 am, Wout Mertens wrote:

>
> But that is exactly what Changelog is for, notifying the user about what
> changed. Although I admit it doesn't have a lot of visibility, we might
> want to do something about that, like an option on emerge that shows the
> changelogs since your version...

that is a great idea!  i would only add that some indication of severity (with 
appropriate colorized output perhaps?) would be nice, so that mundane changes 
(new incremental version update, no big changes) would be in white, while 
more significant changes that might require configuration changes and/or 
break a current running setup (like apache) would be in yellow, while 
signficant changes (like major version update or very incompatible changes, a 
la db3 -> db4 or the recent libpng update) would have a higher severity that 
would print out in bright red! :-)

Then one could to an 'emerge -u -p world --show-changelog' (or whatever the 
switch ends up being) and see right away, with a casual glance, which changes 
are likely to be the most worrisome.

Jean.

[gentoo-dev] gperf and gprof

[Luke Graham]

tundra dev-util # emerge -s gperf
[ Results for search key : gperf ]
[ Applications found : 1 ]

*  dev-util/gperf
      Latest version Available: 2.7.2
      Latest version Installed: [ Not Installed ]
      Homepage: http://www.gnu.org/software/gperf/gperf.html
      Description:
      GNU performance analyzer


gperf is actually a perfect hash function generator. gprof is the profiler, 
and is included in binutils.

-- 
	luke@trolltech.com                        Fax: +47 21604801
	Trolltech AS, Waldemar Thranes gt. 98, N-0175 Oslo, Norway

Re: [gentoo-dev] gperf and gprof

[Luke Graham]

Ive submitted this in bugzilla now

-- 
	luke@trolltech.com                        Fax: +47 21604801
	Trolltech AS, Waldemar Thranes gt. 98, N-0175 Oslo, Norway