http://bugzilla.opensuse.org/show_bug.cgi?id=1083322 Bug ID: 1083322 Summary: wordpress-apache package contains a typing error related to security Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: openSUSE 42.3 Status: NEW Severity: Critical Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: david@kronlid.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 762157 --> http://bugzilla.opensuse.org/attachment.cgi?id=762157&action=edit configuration file with error corrected on line 17 In the wordpress-apache package made at https://build.opensuse.org/package/show/server:php:applications/wordpress , there's a typo which might or might not affect security depending on how apache2 parses the configuration file: /etc/apache2/conf.d/wordpress.conf On row 17 there's a missing " before the ending > The purpose of this part of the config-file is to stop users from uploading .php files which can be used to run custom PHP scripts on servers, potentially with a malicious purpose. This potentially affects all versions of Leap, Tumbleweed, and OpenSUSE backports to SUSE. I haven't checked if this affects security in the default apache2 shipped with Leap 42.3, but anyway it should get fixed as it might cause a parsing error on some version of apache2 now or in the future which might affect security on servers running WordPress on Apache2. The file containing the error: https://download.opensuse.org/repositories/server:/php:/applications/openSUS... I add a correct wordpress.conf as attachment -- You are receiving this mail because: You are on the CC list for the bug.