Source: icingaweb2 Version: 2.3.4-1 Severity: normal Tags: security
Hi. The postinst of this package automatically enables some config snippets as well as some modules. Please don't do that, not only has it the simple potential to break existing setups but also to introduce security holes. In general it's alrady a bad idea if an apache module package enables it's own module (i.e. a2enmod). It may not be configured, and depending on the layout of the apache configuration loading it in general may not be desired but e.g. rather for specific sites only. When some 3rd party package enables another module that's IMHO even worse. mod_rewrite may easily introduce security issues or simply be undesired in some sites running on a node (and icingaweb2 may not be the only one). Similar, enabling /etc/apache2/conf-available/icingaweb2.conf shouldn't be done either. AFAICS, it's not even enforing SSL. It further cannot be assumed that the URL space / isn't already used somehow (e.g. via other generic rewritings) and it should be the user who decides whether he wants to make Icinga Web 2 to /icingaweb2. I think a good alternative would be simply to document in README.Debian wich modules are required and that there is an out-of-the box config snippet (icingaweb2.conf) which people could either use directly or integrate into their more powerful setup. Alternatively one could use debconf to at least ask whether that auto-configuration should be done. I think that would be still easy for people to get it running while not possibly breaking more advanced setups or even automatically "starting" Icinga Web2 in a fashion that is not as tightly locked down as the site would want it. Cheers, Chris. -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
