1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1063710: lintian: apache2-deprecated-auth-config ignores mentioned

    From Roland Rosenfeld@21:1/5 to All on Sun Feb 11 15:00:01 2024
    Package: lintian
    Version: 2.117.0
    Severity: normal

    Dear Maintainer,

    I observe the following warning in xymon package:

    W: xymon: apache2-deprecated-auth-config Allow [etc/apache2/conf-available/xymon.conf:23]
    N:
    N: The package is using some of the deprecated authentication configuration N: directives Order, Satisfy, Allow, Deny, <Limit> or <LimitExcept>
    N:
    N: These do not integrate well with the new authorization scheme of Apache
    N: 2.4 and, in the case of <Limit> and <LimitExcept> have confusing
    N: semantics. The configuration directives should be replaced with a suitable N: combination of <RequireAll>, <RequireAny>, Require all, Require local,
    N: Require ip, and Require method.
    N:
    N: Alternatively, the offending lines can be wrapped between <IfModule
    N: !mod_authz_core.c> ... </IfModule> or <IfVersion < 2.3> ... </IfVersion> N: directives.
    N:
    N: Visibility: warning
    N: Show-Always: no
    N: Check: apache2

    But this xymon.conf already uses the mentioned
    <IfModule !mod_authz_core.c> ... </IfModule>
    wrapper:

    Directory "/var/lib/xymon/www">
    Options Indexes FollowSymLinks Includes MultiViews
    <IfModule mod_authz_core.c>
    # Apache 2.4+
    Require local
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Allow from localhost ::1/128
    </IfModule>
    </Directory>

    So it would be nice, if lintian could check for the suggested wrapper
    and mute the alarm if it exists.

    Not really sure, whether this worth the effort, in the meantime I'll
    add an overrides.

    Greetings
    Roland

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Roland Rosenfeld on Sun Feb 11 19:00:02 2024
    Roland Rosenfeld <roland@debian.org> writes:

    I observe the following warning in xymon package:

    W: xymon: apache2-deprecated-auth-config Allow [etc/apache2/conf-available/xymon.conf:23]
    N:
    N: The package is using some of the deprecated authentication configuration N: directives Order, Satisfy, Allow, Deny, <Limit> or <LimitExcept>
    N:
    N: These do not integrate well with the new authorization scheme of Apache N: 2.4 and, in the case of <Limit> and <LimitExcept> have confusing
    N: semantics. The configuration directives should be replaced with a suitable
    N: combination of <RequireAll>, <RequireAny>, Require all, Require local, N: Require ip, and Require method.
    N:
    N: Alternatively, the offending lines can be wrapped between <IfModule
    N: !mod_authz_core.c> ... </IfModule> or <IfVersion < 2.3> ... </IfVersion> N: directives.
    N:
    N: Visibility: warning
    N: Show-Always: no
    N: Check: apache2

    But this xymon.conf already uses the mentioned
    <IfModule !mod_authz_core.c> ... </IfModule>
    wrapper:

    This is definitely a bug in that the tag doesn't match the tag
    description, but it may also be worth noting that Apache 2.4 was released
    in February of 2012 and Apache 2.2 has been officially end of life and
    entirely unsupported since July of 2017. I think one can make a good
    argument that both the Lintian tag description and xymon should just drop
    all support for Apache versions prior to 2.4. Hopefully no one is still running it, since it almost certainly has significant unfixed security vulnerabilities at this point.

    --
    Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)