* [gentoo-dev] Apache security hole and ebuild
@ 2002-06-19 11:05 Kim Nielsen
2002-06-19 12:39 ` Sloan Poe
0 siblings, 1 reply; 11+ messages in thread
From: Kim Nielsen @ 2002-06-19 11:05 UTC (permalink / raw
To: gentoo-dev
Hi,
I have a production site and have problems with the apache ebuild
its version 1.3.24-r6 and this is what I get:
fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf
fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf
fopen: No such file or directory
apache: could not open document config file /usr/conf/apache.conf
Could someone please fix this and patch the security hole while they are
at it ?
I have tried the #gentoo-dev channel but was not allowed to write .. so
here goes!
/Kim
--
I am the face that stares at you from the shadows.
http://www.insecurity.dk
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 11:05 [gentoo-dev] Apache security hole and ebuild Kim Nielsen @ 2002-06-19 12:39 ` Sloan Poe 2002-06-19 13:44 ` Grant Goodyear 0 siblings, 1 reply; 11+ messages in thread From: Sloan Poe @ 2002-06-19 12:39 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1467 bytes --] it seems that at some point.. someone changed the way apache was installed.. I just upgraded and now I'm not sure what's supposed to be what.. The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to /var/www/htdocs ?? also it seems that the configuration moved from /etc/httpd to /etc/apache Could someone please clarify all the changes that got made here thanks Sloan... On Wed, 2002-06-19 at 07:05, Kim Nielsen wrote: > Hi, > > I have a production site and have problems with the apache ebuild > > its version 1.3.24-r6 and this is what I get: > > fopen: No such file or directory > apache: could not open document config file /usr/conf/apache.conf > fopen: No such file or directory > apache: could not open document config file /usr/conf/apache.conf > fopen: No such file or directory > apache: could not open document config file /usr/conf/apache.conf > > Could someone please fix this and patch the security hole while they are > at it ? > > I have tried the #gentoo-dev channel but was not allowed to write .. so > here goes! > > /Kim > -- > I am the face that stares at you from the shadows. > http://www.insecurity.dk > > _______________________________________________ > gentoo-dev mailing list > gentoo-dev@gentoo.org > http://lists.gentoo.org/mailman/listinfo/gentoo-dev -- Sloan Poe rpoe@warren-wilson.edu If I'm insane, who are you in? [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 232 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 12:39 ` Sloan Poe @ 2002-06-19 13:44 ` Grant Goodyear 2002-06-19 18:37 ` Doug Goldstein 2002-06-19 22:13 ` Bjarke Sørensen 0 siblings, 2 replies; 11+ messages in thread From: Grant Goodyear @ 2002-06-19 13:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 537 bytes --] > it seems that at some point.. someone changed the way apache was > installed.. I just upgraded and now I'm not sure what's supposed to be > what.. > > The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to > /var/www/htdocs ?? > > also it seems that the configuration moved from /etc/httpd to > /etc/apache > > > Could someone please clarify all the changes that got made here Actually, all of the changes are documented. Take a look at /usr/portage/net-www/apache/ChangeLog. -g2boojum- [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 13:44 ` Grant Goodyear @ 2002-06-19 18:37 ` Doug Goldstein 2002-06-19 19:30 ` Kim Nielsen 2002-06-19 22:13 ` Bjarke Sørensen 1 sibling, 1 reply; 11+ messages in thread From: Doug Goldstein @ 2002-06-19 18:37 UTC (permalink / raw To: gentoo-dev http://bugs.gentoo.org/show_bug.cgi?id=3879 addresses a similar situation following the steps listed there should get you going. Please also note that you shouldn't just blindly upgrade on a production server, read the ChangeLog's prior to doing that. -Doug On Wednesday 19 June 2002 09:44 am, Grant Goodyear wrote: > > it seems that at some point.. someone changed the way apache was > > installed.. I just upgraded and now I'm not sure what's supposed to be > > what.. > > > > The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to > > /var/www/htdocs ?? > > > > also it seems that the configuration moved from /etc/httpd to > > /etc/apache > > > > > > Could someone please clarify all the changes that got made here > > Actually, all of the changes are documented. Take a look > at /usr/portage/net-www/apache/ChangeLog. > > -g2boojum- ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 18:37 ` Doug Goldstein @ 2002-06-19 19:30 ` Kim Nielsen 0 siblings, 0 replies; 11+ messages in thread From: Kim Nielsen @ 2002-06-19 19:30 UTC (permalink / raw To: gentoo-dev On Wed, 2002-06-19 at 20:37, Doug Goldstein wrote: > http://bugs.gentoo.org/show_bug.cgi?id=3879 addresses a similar situation > following the steps listed there should get you going. Please also note that > you shouldn't just blindly upgrade on a production server, read the > ChangeLog's prior to doing that. I know that I should not blindly and I'm not .. I'm still running the httpd ebuild and wanted to change to the apache.ebuild .. so by installing apache and testing does not stop the other service /Kim -- I'm the face that stares at you from the shadows. http://www.insecurity.dk ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 13:44 ` Grant Goodyear 2002-06-19 18:37 ` Doug Goldstein @ 2002-06-19 22:13 ` Bjarke Sørensen 2002-06-20 11:46 ` Wout Mertens 1 sibling, 1 reply; 11+ messages in thread From: Bjarke Sørensen @ 2002-06-19 22:13 UTC (permalink / raw To: gentoo-dev On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote: > > The docroot was in /usr/local/httpd/htdocs, but now seems to be moved to > > /var/www/htdocs ?? > > also it seems that the configuration moved from /etc/httpd to > > /etc/apache > > Could someone please clarify all the changes that got made here > Actually, all of the changes are documented. Take a look > at /usr/portage/net-www/apache/ChangeLog. Ohh, yeah. o the config files are now in /etc/apache/conf, conveniently organized into separate directories for addon-modules and vhosts. this simplifies things for everybody and especially for those with complicated/large sites. Just not when you already worked arround this and have this "complicated/large site". Sorry I missed the announce that something vital was done to apache. Good thing I havn't blindly upgraded. I think I hold back till things about apache settles.. Too many people have problems with it. But maybe we all expected something more than a note in a changelog for such a change. -- | Bjarke Sørensen / 9000.WASD | | There are 10 types of people in this world: | Those who understand binary, and those who don't. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-19 22:13 ` Bjarke Sørensen @ 2002-06-20 11:46 ` Wout Mertens 2002-06-20 13:48 ` Bjarke Sørensen ` (2 more replies) 0 siblings, 3 replies; 11+ messages in thread From: Wout Mertens @ 2002-06-20 11:46 UTC (permalink / raw To: gentoo-dev [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN, Size: 1108 bytes --] Hey Bjarke, On Thu, 20 Jun 2002, Bjarke [iso-8859-1] Sørensen wrote: > On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote: > > Actually, all of the changes are documented. Take a look > > at /usr/portage/net-www/apache/ChangeLog. > > Ohh, yeah. > > Just not when you already worked arround this and have this > "complicated/large site". Sorry I missed the announce that something > vital was done to apache. Good thing I havn't blindly upgraded. Which is very good, as a "complicated/large site"-admin, you need to test things before you make them happen. If you tweak stuff in a package, you can expect it to break updates... > Too many people have problems with it. But maybe we all expected > something more than a note in a changelog for such a change. But that is exactly what Changelog is for, notifying the user about what changed. Although I admit it doesn't have a lot of visibility, we might want to do something about that, like an option on emerge that shows the changelogs since your version... If you have other ideas, please tell us. Wout. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-20 11:46 ` Wout Mertens @ 2002-06-20 13:48 ` Bjarke Sørensen 2002-06-20 14:58 ` Jean-Michel Smith 2002-06-21 4:00 ` [gentoo-dev] gperf and gprof Luke Graham 2 siblings, 0 replies; 11+ messages in thread From: Bjarke Sørensen @ 2002-06-20 13:48 UTC (permalink / raw To: gentoo-dev On Thu, Jun 20, 2002 at 01:46:59PM +0200, Wout Mertens wrote: > > On Wed, Jun 19, 2002 at 09:44:38AM -0400, Grant Goodyear wrote: > > > Actually, all of the changes are documented. Take a look > > > at /usr/portage/net-www/apache/ChangeLog. > > Just not when you already worked arround this and have this > > "complicated/large site". Sorry I missed the announce that something > > vital was done to apache. Good thing I havn't blindly upgraded. > Which is very good, as a "complicated/large site"-admin, you need to test > things before you make them happen. If you tweak stuff in a package, you > can expect it to break updates... If the layout and placing of files hadn't been changed I could just have upgraded. Don't get me wrong I think the update was needed to make some sense and enable some default security (not running as nobody). > > Too many people have problems with it. But maybe we all expected > > something more than a note in a changelog for such a change. > But that is exactly what Changelog is for, notifying the user about what > changed. Although I admit it doesn't have a lot of visibility, we might > want to do something about that, like an option on emerge that shows the > changelogs since your version... > If you have other ideas, please tell us. Maybe some verbosity in this direction could be implemented in emerge then? Like: gugi root # emerge mutt --pretend These are the packages that I would merge, in order. Calculating dependencies ...done! [ebuild U ] net-mail/mutt-1.4 to / gugi root # emerge mutt --verbose --pretend These are the packages that I would merge, in order. Calculating dependencies ...done! [ebuild U ] net-mail/mutt-1.4 to / 29 Apr 2002; Ryan Phillips <rphillips@gentoo.org> mutt-1.4.ebuild : new version gugi root # That would be nice. -- | Bjarke Sørensen / 9000.WASD | | There are 10 types of people in this world: | Those who understand binary, and those who don't. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] Apache security hole and ebuild 2002-06-20 11:46 ` Wout Mertens 2002-06-20 13:48 ` Bjarke Sørensen @ 2002-06-20 14:58 ` Jean-Michel Smith 2002-06-21 4:00 ` [gentoo-dev] gperf and gprof Luke Graham 2 siblings, 0 replies; 11+ messages in thread From: Jean-Michel Smith @ 2002-06-20 14:58 UTC (permalink / raw To: Wout Mertens, gentoo-dev On Thursday 20 June 2002 06:46 am, Wout Mertens wrote: > > But that is exactly what Changelog is for, notifying the user about what > changed. Although I admit it doesn't have a lot of visibility, we might > want to do something about that, like an option on emerge that shows the > changelogs since your version... that is a great idea! i would only add that some indication of severity (with appropriate colorized output perhaps?) would be nice, so that mundane changes (new incremental version update, no big changes) would be in white, while more significant changes that might require configuration changes and/or break a current running setup (like apache) would be in yellow, while signficant changes (like major version update or very incompatible changes, a la db3 -> db4 or the recent libpng update) would have a higher severity that would print out in bright red! :-) Then one could to an 'emerge -u -p world --show-changelog' (or whatever the switch ends up being) and see right away, with a casual glance, which changes are likely to be the most worrisome. Jean. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [gentoo-dev] gperf and gprof 2002-06-20 11:46 ` Wout Mertens 2002-06-20 13:48 ` Bjarke Sørensen 2002-06-20 14:58 ` Jean-Michel Smith @ 2002-06-21 4:00 ` Luke Graham 2002-06-21 7:24 ` Luke Graham 2 siblings, 1 reply; 11+ messages in thread From: Luke Graham @ 2002-06-21 4:00 UTC (permalink / raw To: gentoo-dev tundra dev-util # emerge -s gperf [ Results for search key : gperf ] [ Applications found : 1 ] * dev-util/gperf Latest version Available: 2.7.2 Latest version Installed: [ Not Installed ] Homepage: http://www.gnu.org/software/gperf/gperf.html Description: GNU performance analyzer gperf is actually a perfect hash function generator. gprof is the profiler, and is included in binutils. -- luke@trolltech.com Fax: +47 21604801 Trolltech AS, Waldemar Thranes gt. 98, N-0175 Oslo, Norway ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [gentoo-dev] gperf and gprof 2002-06-21 4:00 ` [gentoo-dev] gperf and gprof Luke Graham @ 2002-06-21 7:24 ` Luke Graham 0 siblings, 0 replies; 11+ messages in thread From: Luke Graham @ 2002-06-21 7:24 UTC (permalink / raw To: gentoo-dev Ive submitted this in bugzilla now -- luke@trolltech.com Fax: +47 21604801 Trolltech AS, Waldemar Thranes gt. 98, N-0175 Oslo, Norway ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2002-06-21 7:23 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-06-19 11:05 [gentoo-dev] Apache security hole and ebuild Kim Nielsen 2002-06-19 12:39 ` Sloan Poe 2002-06-19 13:44 ` Grant Goodyear 2002-06-19 18:37 ` Doug Goldstein 2002-06-19 19:30 ` Kim Nielsen 2002-06-19 22:13 ` Bjarke Sørensen 2002-06-20 11:46 ` Wout Mertens 2002-06-20 13:48 ` Bjarke Sørensen 2002-06-20 14:58 ` Jean-Michel Smith 2002-06-21 4:00 ` [gentoo-dev] gperf and gprof Luke Graham 2002-06-21 7:24 ` Luke Graham
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox