| Bug ID | 1083322 |
|---|---|
| Summary | wordpress-apache package contains a typing error related to security |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 42.3 |
| Hardware | Other |
| OS | openSUSE 42.3 |
| Status | NEW |
| Severity | Critical |
| Priority | P5 - None |
| Component | Other |
| Assignee | bnc-team-screening@forge.provo.novell.com |
| Reporter | david@kronlid.net |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
Created attachment 762157 [details] configuration file with error corrected on line 17 In the wordpress-apache package made at https://build.opensuse.org/package/show/server:php:applications/wordpress , there's a typo which might or might not affect security depending on how apache2 parses the configuration file: /etc/apache2/conf.d/wordpress.conf On row 17 there's a missing " before the ending > The purpose of this part of the config-file is to stop users from uploading .php files which can be used to run custom PHP scripts on servers, potentially with a malicious purpose. This potentially affects all versions of Leap, Tumbleweed, and OpenSUSE backports to SUSE. I haven't checked if this affects security in the default apache2 shipped with Leap 42.3, but anyway it should get fixed as it might cause a parsing error on some version of apache2 now or in the future which might affect security on servers running WordPress on Apache2. The file containing the error: https://download.opensuse.org/repositories/server:/php:/applications/openSUSE_Leap_42.3/noarch/wordpress-apache-4.9.4-1.1.noarch.rpm I add a correct wordpress.conf as attachment