So after upgrading against the Range header vulnerability, I find that
apache-2.2.20 seems to litter /etc/apache2 with standard configuration
files, while I don't remember anything at least in 2.2.1x range doing that.


leho@server etc $ qlist apache- | grep etc
/etc/apache2/extra/httpd-autoindex.conf
/etc/apache2/extra/httpd-multilang-errordoc.conf
/etc/apache2/extra/httpd-vhosts.conf
/etc/apache2/extra/httpd-mpm.conf
/etc/apache2/extra/httpd-default.conf
/etc/apache2/extra/httpd-dav.conf
/etc/apache2/extra/httpd-languages.conf
/etc/apache2/extra/httpd-ssl.conf
/etc/apache2/extra/httpd-info.conf
/etc/apache2/extra/httpd-manual.conf
/etc/apache2/extra/httpd-userdir.conf
/etc/apache2/vhosts.d/00_default_ssl_vhost.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/vhosts.d/.keep_www-servers_apache-2
/etc/apache2/vhosts.d/default_vhost.include
/etc/apache2/magic
/etc/apache2/original/extra/httpd-autoindex.conf
/etc/apache2/original/extra/httpd-multilang-errordoc.conf
/etc/apache2/original/extra/httpd-vhosts.conf
/etc/apache2/original/extra/httpd-mpm.conf
/etc/apache2/original/extra/httpd-default.conf
/etc/apache2/original/extra/httpd-dav.conf
/etc/apache2/original/extra/httpd-languages.conf
/etc/apache2/original/extra/httpd-ssl.conf
/etc/apache2/original/extra/httpd-info.conf
/etc/apache2/original/extra/httpd-manual.conf
/etc/apache2/original/extra/httpd-userdir.conf
/etc/apache2/original/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/mime.types
/etc/apache2/modules.d/00_mod_userdir.conf
/etc/apache2/modules.d/00_languages.conf
/etc/apache2/modules.d/00_mod_status.conf
/etc/apache2/modules.d/00_mod_info.conf
/etc/apache2/modules.d/00_mod_mime.conf
/etc/apache2/modules.d/46_mod_ldap.conf
/etc/apache2/modules.d/00_error_documents.conf
/etc/apache2/modules.d/00_mod_autoindex.conf
/etc/apache2/modules.d/.keep_www-servers_apache-2
/etc/apache2/modules.d/00_mpm.conf
/etc/apache2/modules.d/45_mod_dav.conf
/etc/apache2/modules.d/40_mod_ssl.conf
/etc/apache2/modules.d/00_mod_log_config.conf
/etc/apache2/modules.d/00_default_settings.conf
/etc/apache2/modules.d/10_mod_mem_cache.conf
/etc/conf.d/apache2
/etc/init.d/apache2
/etc/logrotate.d/apache2

leho@server etc $ sudo git status -s apache2
M apache2/modules.d/70_mod_wsgi.conf
?? apache2/apache2.conf
?? apache2/extra/
?? apache2/mime.types
?? apache2/modules.d/00_mod_headers.conf
?? apache2/original/

My git log shows I did a Gentoo-config migration about 8 months ago.

commit 48baa69137ad8d84c1678b59a13648092d8f7906
Author: leho <leho@kraav.com>
Date: Fri Dec 17 23:33:01 2010 +0200

apache2: vimdiff merge gentoo distro configa + apps/*.conf

diff --git a/apache2/httpd.conf b/apache2/httpd.conf
index 85e5126..241a7ba 100644
--- a/apache2/httpd.conf
+++ b/apache2/httpd.conf
@@ -1,69 +1,43 @@
+# This is a modification of the default Apache 2.2 configuration file
+# for Gentoo Linux.
... yadda yadda

Can anyone shed some light (discussion URLs?) onto why apache2.conf,
extra/ and original/ are installed again? Maybe some eclass thing?


--
Leho Kraav, M.Sc.

http://leho.kraav.com

> So after upgrading against the Range header vulnerability, I find that
> apache-2.2.20 seems to litter /etc/apache2 with standard configuration
> files, while I don't remember anything at least in 2.2.1x range doing that.

Same thing happend to me, but it seems this new config files are not
included per default. I am not really sure what to make of this. Which
file should I edit from now on?

All files seem to be valid, there are no ophans in my apache2 directory
(excluding my froxlor and ssl config)

# find /etc/apache2/ -type f -print0 | xargs -0 qfile -o | egrep -v
"froxlor|ssl"
#

And if you google for "gentoo apache 2.2.20" guess what you'll find?
Yeah, that right, this Thread!

Am 05.09.2011 09:18, schrieb Michael Hampicke:
>> So after upgrading against the Range header vulnerability, I find that
>> apache-2.2.20 seems to litter /etc/apache2 with standard configuration
>> files, while I don't remember anything at least in 2.2.1x range doing that.
>
> Same thing happend to me, but it seems this new config files are not
> included per default. I am not really sure what to make of this. Which
> file should I edit from now on?
>
> All files seem to be valid, there are no ophans in my apache2 directory
> (excluding my froxlor and ssl config)
>
> # find /etc/apache2/ -type f -print0 | xargs -0 qfile -o | egrep -v
> "froxlor|ssl"
> #
>
> And if you google for "gentoo apache 2.2.20" guess what you'll find?
> Yeah, that right, this Thread!
>

I guess it was just happened through an oversight because of the rushed
release. I just removed those files without ill effects.

Florian Philipp wrote:
> I guess it was just happened through an oversight because of the rushed
> release. I just removed those files without ill effects.

Indeed, these files seem completely useless on a Gentoo system. I have
filed a bug:

https://bugs.gentoo.org/show_bug.cgi?id=382997

-- Remy

> Indeed, these files seem completely useless on a Gentoo system. I have
> filed a bug:
>
> https://bugs.gentoo.org/show_bug.cgi?id=382997

I was gonna wait to see what other are saying about this. Then totally
forgot about this thread.
But I'll keep an eye on this bug, thanks for filing.