openSUSE Recommended Update: apache2: revert last change about Require directive to avoid spurious 403 ______________________________________________________________________________ Announcement ID: openSUSE-RU-2013:1837-1 Rating: moderate References: #854263 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: Apache was updated to revert last change about Require directive to avoid spurious 403 errors due to conflicts with Require vs. Deny/Allow. The problem: In /etc/apache2/httpd.conf, the permissions are set for "/" using <Directory /> ... Require all denied </Directory>. This overrides all subsequent Allow/Deny directives that may be present in an older confguration and leads to a 403 unless configured otherwise with a further "Require all granted" down in a directory or vhost. This cannot be guaranteed, though, and numerous configurations also from add-ons that bring their own /etc/apache2/conf.d config file make use of the Deny/Allow directives. This looks like we'll stick with the compiled-in mod_access_compat for a while. [bnc#854263] Patch Instructions: To install this openSUSE Recommended Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2013-944 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): apache2-2.4.6-6.10.1 apache2-debuginfo-2.4.6-6.10.1 apache2-debugsource-2.4.6-6.10.1 apache2-devel-2.4.6-6.10.1 apache2-event-2.4.6-6.10.1 apache2-event-debuginfo-2.4.6-6.10.1 apache2-example-pages-2.4.6-6.10.1 apache2-prefork-2.4.6-6.10.1 apache2-prefork-debuginfo-2.4.6-6.10.1 apache2-utils-2.4.6-6.10.1 apache2-utils-debuginfo-2.4.6-6.10.1 apache2-worker-2.4.6-6.10.1 apache2-worker-debuginfo-2.4.6-6.10.1 - openSUSE 13.1 (noarch): apache2-doc-2.4.6-6.10.1 References: https://bugzilla.novell.com/854263