The default configuration of the apache2 package in Debian GNU/Linux
squeeze before 2.2.16-6+squeeze7, wheezy before 2.2.22-4, and sid before
2.2.22-4, when mod_php or mod_rivet is used, provides example scripts under
the doc/ URI, which might allow local users to conduct cross-site scripting
(XSS) attacks, gain privileges, or obtain sensitive information via vectors
involving localhost HTTP requests to the Apache HTTP Server.
 mdeslaur> fixing this requires a conf file change, which we try not to
 mdeslaur> do in security updates. Marking as ignored since we will not
 mdeslaur> fix this in stable releases. Workaround is simply for the admin
 mdeslaur> to remove the doc directory in the conf files.
Upstream:released (2.2.22-4)
More Information

Updated: 2019-01-14 22:01:16 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)