Source: apache2
Version: 2.4.25-3+deb9u3
Severity: normal
Hi,
libapache2-mod-security2 sets a Recommends: on modsecurity-crs and ships a
/etc/apache2/mods-enabled/security2.conf with the following directive:
-----
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
-----
But when installing on a system where the installation of recommended packages
is disabled, modsecurity-crs isn't installed and as such the the
/usr/share/modsecurity-crs/ directory isn't present, which makes the
IncludeOptional directive fail and preventing the Apache startup:
-----
Oct 17 14:57:17 foo systemd[1]: Starting The Apache HTTP Server...
Oct 17 14:57:17 foo apachectl[18942]: apache2: Syntax error on line 11 of
/etc/apache2/apache2.conf: Syntax error on line 12 of
/etc/apache2/mods-enabled/security2.conf:
Could not open config directory /usr/share/modsecurity-crs: No such file or
directory
Oct 17 14:57:17 foo apachectl[18942]: Action 'start' failed.
-----
Creating /usr/share/modsecurity-crs/ fixes it, but that seems like a
misfeature/bug?
Shouldn't it also fail gracefully in the absence of one of the path elements?
Cheers,
Moritz
