Your message dated Tue, 11 Mar 2025 07:24:16 +0100
with message-id <[email protected]>
and subject line icingaweb2: don't mangle around in the Apache configs
has caused the Debian Bug report #830941,
regarding icingaweb2: don't mangle around in the Apache configs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
830941: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830941
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: icingaweb2
Version: 2.3.4-1
Severity: normal
Tags: security
Hi.
The postinst of this package automatically enables some
config snippets as well as some modules.
Please don't do that, not only has it the simple potential
to break existing setups but also to introduce security holes.
In general it's alrady a bad idea if an apache module package
enables it's own module (i.e. a2enmod).
It may not be configured, and depending on the layout of the
apache configuration loading it in general may not be desired
but e.g. rather for specific sites only.
When some 3rd party package enables another module that's IMHO
even worse.
mod_rewrite may easily introduce security issues or simply be
undesired in some sites running on a node (and icingaweb2 may
not be the only one).
Similar, enabling /etc/apache2/conf-available/icingaweb2.conf
shouldn't be done either.
AFAICS, it's not even enforing SSL.
It further cannot be assumed that the URL space / isn't already
used somehow (e.g. via other generic rewritings) and it should
be the user who decides whether he wants to make Icinga Web 2
to /icingaweb2.
I think a good alternative would be simply to document in
README.Debian wich modules are required and that there is
an out-of-the box config snippet (icingaweb2.conf) which people
could either use directly or integrate into their more powerful
setup.
Alternatively one could use debconf to at least ask whether
that auto-configuration should be done.
I think that would be still easy for people to get it running
while not possibly breaking more advanced setups or even
automatically "starting" Icinga Web2 in a fashion that is not
as tightly locked down as the site would want it.
Cheers,
Chris.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
tags 830941 wontfix
thanks
This is unlikely to ever get addressed.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--- End Message ---
