Package: icinga-cgi Version: 1.14.2+ds-1 Severity: normal In previous versions the shipped default apache2.conf contained these authorization related directives:
``` Order Allow,Deny Allow From all [...] Require valid-user ``` This had the effect that user had to authenticate (be a `valid-user`) to access the web interface. However, in the version this bug applies to, the `Order` and `Allow` directives have been replaced by a single `Require all granted` directive. Now the two `Require' directives interact differently, than was previously intended. Instead of requiring a `valid-user` the `all granted` now takes precedence and users aren't required to authenticate. I'm aware this probably won't get fixed, because the icinga package was removed from unstable. I'm just filing this bug to document it for anyone who might come across this problem. Regards Sven -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (990, 'testing-debug'), (990, 'testing'), (102, 'unstable-debug'), (102, 'unstable'), (101, 'experimental-debug'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled