Bug#874542: reopen, the wildcard seems to have gotten lost somewhere

Thu, 31 Jan 2019 02:24:42 -0800 

reopen 874542
severity 874542 normal
found 874542 2.9.1-2
found 874542 2.9.2-1~bpo9+1
thanks

Hi there,

Apparently, if the user doesn't honor Recommends, which is no longer the
default but is nevertheless perfectly legitimate, this package fails to
install on stretch with or without backports:

% sudo apt install libapache2-mod-security2
[...]
Setting up libapache2-mod-security2 (2.9.1-2) ...
apache2_invoke: Enable module security2
apache2_reload: Your configuration is broken. Not restarting Apache 2
apache2_reload: apache2: Syntax error on line 147 of /etc/apache2/apache2.conf: 
Syntax error on line 12 of /etc/apache2/mods-enabled/security2.conf: Could not 
open configuration file /usr/share/modsecurity-crs/owasp-crs.load: No such file 
or directory

% sudo apt install libapache2-mod-security2 -t stretch-backports
[...]
Setting up libapache2-mod-security2 (2.9.2-1~bpo9+1) ...
Installing new version of config file 
/etc/modsecurity/modsecurity.conf-recommended ...
apache2_invoke security2: already enabled
apache2_reload: Your configuration is broken. Not restarting Apache 2
apache2_reload: apache2: Syntax error on line 147 of /etc/apache2/apache2.conf: 
Syntax error on line 12 of /etc/apache2/mods-enabled/security2.conf: Could not 
open configuration file /usr/share/modsecurity-crs/owasp-crs.load: No such file 
or directory

The changelog entry says "Change CRS IncludeOptional to wildcard to
get the desired behaviour (not failing when CRS not present)." but this
appears to not be the case in the package itself:

% grep IncludeOptional /etc/apache2/mods-enabled/security2.conf
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load

There's no wildcard in the latter statement, did it get lost somewhere?

JFTR, in stretch, apache2 itself is 2.4.25-*, but
https://httpd.apache.org/docs/2.4/mod/core.html#includeoptional says "Not
existent file paths without wildcards do not cause SyntaxError after 2.4.30"

Because of the Recommends relationship, this probably won't be seen by a lot
of users, and it can be trivially worked around by commenting that line out,
so I've downgraded the severity to normal. And in buster, apache2 js already
2.4.37-1. Still, this situation is noticable because it happens on stable,
can't be avoided with stable backports, and failing to install normally
trips up basic exit status checks.

-- 
     2. That which causes joy or happiness.

Reply via email to