[Fedora-directory-commits] adminserver/admserv/cfgstuff admserv.conf.in, 1.10, 1.11
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Mon Jun 9 15:42:49 UTC 2008
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/cgi-src40 repl-monitor-cgi.pl.in, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] adminserver Makefile.am, 1.39, 1.40 configure.ac, 1.25, 1.26 aclocal.m4, 1.39, 1.40 configure, 1.43, 1.44 missing, 1.29, 1.30 install-sh, 1.29, 1.30 depcomp, 1.29, 1.30 config.sub, 1.29, 1.30 config.guess, 1.29, 1.30 compile, 1.28, 1.29 Makefile.in, 1.46, 1.47
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cfgstuff
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14565/adminserver/admserv/cfgstuff
Modified Files:
admserv.conf.in
Log Message:
Resolves: CVE-2008-0892 and 437320
Description: Directory Server: shell command injection in CGI replication
monitor
Directory Server: unrestricted access to CGI scripts
Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that
directory for CGI URIs - use only protected URIs for CGIs requiring
authentication
Remove most CGI parameters from repl-monitor-cgi.pl - user must supply
replmon.conf in the admin server config directory instead of passing in this
pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it
"includes" that script (using perl import).
Platforms tested: all supported platforms
Flag Day: no
Doc impact: release notes are available
Resolves: CVE-2008-0892 and 437320
Description: Directory Server: shell command injection in CGI replication
monitor
Directory Server: unrestricted access to CGI scripts
Fix Description: remove ScriptAlias for bin/admin/admin/bin - do not use that
directory for CGI URIs - use only protected URIs for CGIs requiring
authentication
Remove most CGI parameters from repl-monitor-cgi.pl - user must supply
replmon.conf in the admin server config directory instead of passing in this
pathname - repl-monitor-cgi.pl does not use system to call repl-monitor.pl, it
"includes" that script (using perl import).
Platforms tested: all supported platforms
Flag Day: no
Doc impact: release notes are available
Index: admserv.conf.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- admserv.conf.in 7 Dec 2007 17:43:50 -0000 1.10
+++ admserv.conf.in 9 Jun 2008 15:42:46 -0000 1.11
@@ -25,7 +25,6 @@
ADMServerVersionString "@capbrand at -Administrator/@PACKAGE_VERSION@"
ADMConfigDir "@configdir@"
-ScriptAlias /bin/admin/admin/bin/ "@cgibindir@/"
ScriptAlias /dist/ "@cgibindir@/"
ScriptAlias /manual/help/ "@cgibindir@/"
@@ -63,7 +62,7 @@
# remap / requests to the download CGI
RewriteEngine on
-RewriteRule ^/$ /bin/admin/admin/bin/download [R,L,QSA]
+RewriteRule ^/$ /dist/download [R,L,QSA]
# remap admin server icons
Alias /admin-serv/tasks/icons/ @icondir@/
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/cgi-src40 repl-monitor-cgi.pl.in, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] adminserver Makefile.am, 1.39, 1.40 configure.ac, 1.25, 1.26 aclocal.m4, 1.39, 1.40 configure, 1.43, 1.44 missing, 1.29, 1.30 install-sh, 1.29, 1.30 depcomp, 1.29, 1.30 config.sub, 1.29, 1.30 config.guess, 1.29, 1.30 compile, 1.28, 1.29 Makefile.in, 1.46, 1.47
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list