[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 7 commits: debian/NEWS: Add file, inform about PHP being disabled in Apache2 user directories.
Mike Gabriel (@sunweaver)
gitlab at salsa.debian.org
Fri Feb 4 12:08:50 GMT 2022
Mike Gabriel pushed to branch master at Debian Edu / debian-edu-config
Commits:
e49463b4 by Mike Gabriel at 2022-02-04T12:24:58+01:00
debian/NEWS: Add file, inform about PHP being disabled in Apache2 user directories.
- - - - -
bd26a87f by Mike Gabriel at 2022-02-04T12:27:57+01:00
d/debian-edu-config.postinst: Amend adduser call, lintian complains about quote being used.
- - - - -
7b25837b by Mike Gabriel at 2022-02-04T12:29:00+01:00
d/debian-edu-config.<scripts>: Add a+x executable bit to script files
- - - - -
eb2d1085 by Mike Gabriel at 2022-02-04T13:00:29+01:00
debian/control: Add D: adduser.
- - - - -
8ecfb74a by Mike Gabriel at 2022-02-04T13:03:13+01:00
debian/debian-edu-config.postinst: Replace calling 'service' by calling 'invoke-rc.d'. Thanks, lintian.
- - - - -
193d6d65 by Mike Gabriel at 2022-02-04T13:03:44+01:00
debian/debian-edu-config.lintian-overrides: Adjust line number references in lintian overrides.
- - - - -
2e4bdfe8 by Mike Gabriel at 2022-02-04T13:07:56+01:00
release as 2.12.16
Signed-off-by: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
- - - - -
6 changed files:
- + debian/NEWS
- debian/changelog
- debian/control
- debian/debian-edu-config.lintian-overrides
- debian/debian-edu-config.postinst
- debian/debian-edu-config.postrm
Changes:
=====================================
debian/NEWS
=====================================
@@ -0,0 +1,15 @@
+debian-edu-config (2.12.16) unstable; urgency=medium
+
+ CVE-2021-20001: For mitigating potential privilege escalations that
+ could be caused by malicious PHP script in Apache2-accessible user
+ directories (i.e. PHP files placed into ~/public_html) on the Debian
+ Edu mainserver, the PHP engine is now disabled for Apache2 user
+ directories (see /etc/apache2/mods-enabled/debian-edu-userdir.conf).
+ .
+ However, if PHP functionality is required for Apache2 user directories
+ for educational purposes, an alternative configuration approach is provided
+ in:
+
+ /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md
+
+ -- Mike Gabriel <sunweaver at debian.org> Fri, 04 Feb 2022 12:14:05 +0100
=====================================
debian/changelog
=====================================
@@ -1,4 +1,4 @@
-debian-edu-config (2.12.16) UNRELEASED; urgency=medium
+debian-edu-config (2.12.16) unstable; urgency=medium
[ Wolfgang Schweer ]
* etc/exim4/exim-ldap-server-v4.conf: Accept incoming mail from internal
@@ -21,6 +21,8 @@ debian-edu-config (2.12.16) UNRELEASED; urgency=medium
* README.public_html_with_PHP-CGI+suExec.md:
- Provide documentation on how to enable suExec support in Apache2 userdirs
(i.e. ~/public_html).
+ * debian/NEWS:
+ + Add file, inform about PHP being disabled in Apache2 user directories.
* debian/debian-edu-config.fetch-ldap-cert: Drop retrieval of
Debian-Edu_rootCA from this script. This now is the task of the
fetch-rootca-cert script. (Closes: #971780).
@@ -41,7 +43,9 @@ debian-edu-config (2.12.16) UNRELEASED; urgency=medium
- share/debian-edu-config/tools/: Add new update-dlw-krb5-keytabs script and
call it (with delay) from gosa-modify-host and gosa-remove-host hook
scripts.
- - (Closes: #613167)
+ - (Closes: #613167).
+ * debian/control:
+ + Add D: adduser.
* share/debian-edu-config/tools/update-proxy-from-wpad:
- Fix typo (wrong protocol) in APT proxy config creation.
- Create a Debian Edu specific proxy configuration in /etc/apt/apt.conf.d/
@@ -54,8 +58,12 @@ debian-edu-config (2.12.16) UNRELEASED; urgency=medium
templates and ignore them. (Closes: #815042).
* ldap-schemas/: Update schema files from Debian's latest GOsa² list of
schemas. (Closes: #1004949).
+ * debian/debian-edu-config.postinst:
+ + Replace calling 'service' by calling 'invoke-rc.d'. Thanks, lintian.
+ * debian/debian-edu-config.lintian-overrides:
+ + Adjust line number references in lintian overrides.
- -- Mike Gabriel <sunweaver at debian.org> Fri, 14 Jan 2022 22:21:27 +0100
+ -- Mike Gabriel <sunweaver at debian.org> Fri, 04 Feb 2022 13:06:25 +0100
debian-edu-config (2.12.15) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -22,6 +22,7 @@ Package: debian-edu-config
Architecture: all
Depends: ${misc:Depends},
lsb-base,
+ adduser,
bind9-host,
cfengine3,
debconf-utils,
=====================================
debian/debian-edu-config.lintian-overrides
=====================================
@@ -15,6 +15,6 @@ debian-edu-config binary: missing-systemd-service-for-init.d-script etc/init.d/f
debian-edu-config binary: missing-systemd-service-for-init.d-script etc/init.d/fetch-rootca-cert fetch-rootca-cert
debian-edu-config binary: missing-systemd-service-for-init.d-script etc/init.d/firefox-ldapconf firefox-ldapconf
debian-edu-config binary: script-not-executable usr/share/debian-edu-config/killer.cron
-debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:153]
-debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:158]
-debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:160]
+debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:171]
+debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:176]
+debian-edu-config binary: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [control/postinst:178]
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -137,9 +137,9 @@ configure)
if [ -s /etc/debian-edu/config ] && grep -Eq "(Main-Server)" /etc/debian-edu/config ; then
if ! getent 'passwd' 'debian-edu' >'/dev/null'; then
echo 'Creating debian-edu user.' >&2
- adduser --system --home '/var/lib/debian-edu' \
- --disabled-password --shell '/bin/sh' \
- --group 'debian-edu'
+ adduser --system --home /var/lib/debian-edu \
+ --disabled-password --shell /bin/sh \
+ --group debian-edu
else
echo 'User debian-edu already exists.' >&2
# make sure all settings are appropriate
@@ -169,10 +169,10 @@ configure)
[ ! -f /var/lib/ldap/data.mdb ] && ! running_from_di ; then
TMPDIR=$(mktemp -d)
slapcat > $TMPDIR/all.ldif
- service slapd stop
+ invoke-rc.d slapd stop
rm /var/lib/ldap/*
ln -sf /etc/ldap/slapd-debian-edu-mdb.conf /etc/ldap/slapd.conf
- service slapd start
+ invoke-rc.d slapd start
slapadd -l $TMPDIR/all.ldif
if [ -f /var/lib/ldap/data.mdb ] ; then
rm $TMPDIR/all.ldif
=====================================
debian/debian-edu-config.postrm
=====================================
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/edd051dcf469db92c3a5d5cd5bd82886217ff2ed...2e4bdfe8637eb9a95a10499e047f2fefe9e3caca
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/edd051dcf469db92c3a5d5cd5bd82886217ff2ed...2e4bdfe8637eb9a95a10499e047f2fefe9e3caca
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20220204/cee97274/attachment-0001.htm>
More information about the debian-edu-commits
mailing list