Ubuntu
apache2 package

apache2-suexec-custom changes permissions on suexec binary

Bug #897120 reported by Nick_Hill on 2011-11-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

I have a server where the group ID for the suexec binary is set to other than www-data.

Whenever an update occurs, all web sites with scripting which depend on suexec break. This can happen at any time as I have automatic updates enabled. Once I receive complaints, I must log in and re-set the GID on /var/lib/apache2/suexec

I consider the group ID on the suexec binary as a system setting. This system setting is wiped on update.

Please change the package scripts so that they preserve the ownership and permissions on suexec.

Description: Ubuntu 10.04.3 LTS
Release: 10.04

apache2-suexec-custom:
Installed: 2.2.14-5ubuntu8.7
Candidate: 2.2.14-5ubuntu8.7

Related branches

lp:debian/apache2

CVE References

Serge Hallyn (serge-hallyn) on 2011-11-30

Changed in apache2 (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Stefan Fritsch (sf-sfritsch) wrote on 2011-12-03:

That's what dpkg-statoverride is for. I will mention that in the suexec man page.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-12-12:

This bug was fixed in the package apache2 - 2.2.21-3ubuntu1

---------------
apache2 (2.2.21-3ubuntu1) precise; urgency=low

  * Merge from Debian testing. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

apache2 (2.2.21-3) unstable; urgency=medium

  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
    reverse proxy configurations. (Similar to CVE-2011-3368, but different
    attack vector.)
  * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
    via malicious .htaccess.
  * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
  * Fix broken link in docs. Closes: #650528
  * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
    Thanks for your work in the past.
-- Chuck Short <email address hidden> Fri, 09 Dec 2011 05:20:43 +0000

Changed in apache2 (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapache2 package