COMMAND

    httpd (Apache, Debian Boa package)

SYSTEMS AFFECTED

    Debian 2.1

PROBLEM

    Andrei D. Caraman  found following.   This pertains to  the Apache
    configuration as shipped  with Debian 2.1  (codename slink).   The
    default setup  of Apache  (apache_1.3.3-7.deb) makes  the /usr/doc
    directory  available  to  anyone  as  http://some.host/doc/.   The
    relevant line is in the srm.conf file:

        Alias /doc/ /usr/doc/

    That would allow any user from the net (malicious or not) to  know
    the exact version of the  software packages installed on a  Debian
    box.   It looks   more of  a privacy  issue then  a security  one.
    However,  if  a  security  vulnerability  affecting  any  of those
    packes is found, attackers may  already know which targets to  hit
    (and maybe the ones  to be avoided).   At first one would  thought
    that alias should be disabled, but upon further reading the  lines
    below  (`The  above  line  is  for  Debian  webstandard 3.0, which
    specifies that  /doc refers  to /usr/doc.   Some packages  may not
    work otherwise.').  Access to that location should be only allowed
    from localhost (note  that a web  proxy on the  same machine might
    render that  limitation useless).   The site  administrator  could
    easily change that if he/she so needs.

    The Debian Boa package, a (very) lightweight web server, does this
    as well.  Version 0.93.16.1-1, Debian 2.2 (unstable/potato).   The
    relavent line in /etc/boa/boa.conf is

        #Alias /doc /usr/doc

SOLUTION

    Johnie  Ingram  (the  Apache  maintainer  for  Debian)  has   been
    notified, and replied that  this was already formally  reported on
    the Bug Tracking System by another Debian user (details  available
    here):

        http://www.debian.org/Bugs/db/34/34099.html

    including this suggested fix:

        <Directory /usr/doc>
        AllowOverride None
        order deny,allow
        deny from all
        allow from localhost
        </Directory>

    Johnie  said  he  intended  to  change  the  old default it in the
    following  release.   Maintainer  of  Debian  Apache package about
    this issue answered  that this alias  is required in  every Debian
    packaged web  server by  Debian packaging  policy and  if You want
    to report it  as a bug  You should change  first the policy.   You
    better comment one line in srm.conf:

        #Alias /doc /usr/doc