Bug#1063710: lintian: apache2-deprecated-auth-config ignores mentioned workaround

2024-02-11 Thread Russ Allbery 
Roland Rosenfeld  writes:

> I observe the following warning in xymon package:

> W: xymon: apache2-deprecated-auth-config Allow 
> [etc/apache2/conf-available/xymon.conf:23]
> N: 
> N:   The package is using some of the deprecated authentication configuration
> N:   directives Order, Satisfy, Allow, Deny,  or 
> N:   
> N:   These do not integrate well with the new authorization scheme of Apache
> N:   2.4 and, in the case of  and  have confusing
> N:   semantics. The configuration directives should be replaced with a 
> suitable
> N:   combination of , , Require all, Require local,
> N:   Require ip, and Require method.
> N:   
> N:   Alternatively, the offending lines can be wrapped between  N:   !mod_authz_core.c> ...  or  ... 
> N:   directives.
> N: 
> N:   Visibility: warning
> N:   Show-Always: no
> N:   Check: apache2

> But this xymon.conf already uses the mentioned
>   ... 
> wrapper:

This is definitely a bug in that the tag doesn't match the tag
description, but it may also be worth noting that Apache 2.4 was released
in February of 2012 and Apache 2.2 has been officially end of life and
entirely unsupported since July of 2017.  I think one can make a good
argument that both the Lintian tag description and xymon should just drop
all support for Apache versions prior to 2.4.  Hopefully no one is still
running it, since it almost certainly has significant unfixed security
vulnerabilities at this point.

-- 
Russ Allbery (r...@debian.org)

Bug#1063710: lintian: apache2-deprecated-auth-config ignores mentioned workaround

2024-02-11 Thread Roland Rosenfeld 
Package: lintian
Version: 2.117.0
Severity: normal

Dear Maintainer,

I observe the following warning in xymon package:

W: xymon: apache2-deprecated-auth-config Allow 
[etc/apache2/conf-available/xymon.conf:23]
N: 
N:   The package is using some of the deprecated authentication configuration
N:   directives Order, Satisfy, Allow, Deny,  or 
N:   
N:   These do not integrate well with the new authorization scheme of Apache
N:   2.4 and, in the case of  and  have confusing
N:   semantics. The configuration directives should be replaced with a suitable
N:   combination of , , Require all, Require local,
N:   Require ip, and Require method.
N:   
N:   Alternatively, the offending lines can be wrapped between  ...  or  ... 
N:   directives.
N: 
N:   Visibility: warning
N:   Show-Always: no
N:   Check: apache2

But this xymon.conf already uses the mentioned
  ... 
wrapper:

Directory "/var/lib/xymon/www">
Options Indexes FollowSymLinks Includes MultiViews

# Apache 2.4+
Require local


Order deny,allow
Allow from localhost ::1/128



So it would be nice, if lintian could check for the suggested wrapper
and mute the alarm if it exists.

Not really sure, whether this worth the effort, in the meantime I'll
add an overrides.

Greetings
Roland