Apache Security

[zurek]

My friend told me that recently Apache Server have a securiy bug. He told me that after upgrade, some of the config files has been reset to default state, which reduced level of security. Unfortunately I couldn't find any information about this.

It is true, or my friend lied to me?

If this is true then where can I read more about it.

[hexophrenic]

It would depend. Did existing configuration get over-written? Some distros will prompt during an upgrade to keep existing or replace with new. It would depend on how the upgrade was performed. Always have good backups and run a diff on the configuration files after upgrade to see what changed. Just a part of change/configuration management (or bad luck in some cases :) ).

[Jason Cooper]

My friend told me that recently Apache Server have a securiy bug. He told me that after upgrade, some of the config files has been reset to default state, which reduced level of security.

Most distributions have use a separate directory (conf.d, sites-available, etc) to house local config files, this helps avoid the problem of an update replacing apaches main config file an erasing all local configurations. Of course there are some people who still make all their configuration changes in apache's main config file rather than using local config files, so if it did get replaced then they would loose any changes they have made.

Another big advantage of using local config files for most of your settings is that you can easily replicate security settings from one server to another by simply copying the one file, rather than cutting and pasting lines and hoping that you have got all the relevant ones.