Bug#788991: lintian: false positive on apache2-deprecated-auth-config due to strict check
Package: lintian
Version: 2.5.31
Severity: normal
Dear Maintainer,
I believe I found a false positive while Lintian is checking for old
configuration style for Apache 2.2 whithin the Zarafa upstream packages.
We've got the following Apache configuration:
> Alias /webaccess /usr/share/zarafa-webaccess
>
> <Directory /usr/share/zarafa-webaccess/>
> DirectoryIndex index.php
> Options -Indexes +FollowSymLinks
> AllowOverride Options
>
> <IfModule !mod_authz_core.c>
> Order allow,deny
> Allow from all
> </IfModule>
> <IfModule mod_authz_core.c>
> Require all granted
> </IfModule>
> <IfModule mod_socache_shmcb.c>
> php_flag session.cookie_secure on
> php_flag session.cookie_httponly on
> </IfModule>
>
> # Uncomment to enhance security of WebApp by restricting cookies to only
> # be provided over HTTPS connections
> # php_flag session.cookie_secure on
> # php_flag session.cookie_httponly on
> </Directory>
Lintian is detecting the line with 'Order' and 'Allow' within the
<IfModule !mod_authz_core.c> check. But this check is needed to detect if the
configuration is running on a Apache less then 2.4. A Apache version smaller than
2.4 didn't now a modul 'mod_authz_core.c' and needs the Order and Allow
entries then of course.
If the there is a modul 'mod_authz_core.c' detected you running a Apache
2.4 (and probably later). So the configuration above is correct.
Please change Lintian to not print a warning if the Order and Allow
directive is within a '<IfModule !mod_authz_core.c> ... </IfModule>'.
There is also a report #710656 that goes quite in the same direction. As
it's not exactly the same issue I opened up this new report, feel free
to merge this two bugs if reasonable.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710656
Regards
Carsten
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lintian depends on:
ii binutils 2.25-8
ii bzip2 1.0.6-8
ii diffstat 1.58-1
ii file 1:5.22+15-2
ii gettext 0.19.4-1
ii hardening-includes 2.7
ii intltool-debian 0.35.0+20060710.2
ii libapt-pkg-perl 0.1.29+b2
ii libarchive-zip-perl 1.39-1
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.38-1
ii libdpkg-perl 1.18.1
ii libemail-valid-perl 1.195-1
ii libfile-basedir-perl 0.03-1
ii libipc-run-perl 0.94-1
ii liblist-moreutils-perl 0.410-1
ii libparse-debianchangelog-perl 1.2.0-3
ii libtext-levenshtein-perl 0.12-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.64-1
ii man-db 2.7.0.2-5
ii patchutils 0.3.4-1
ii perl [libdigest-sha-perl] 5.20.2-6
ii t1utils 1.38-4
ii xz-utils 5.1.1alpha+20120614-2+b3
Versions of packages lintian recommends:
ii dpkg 1.18.1
ii libautodie-perl 2.25-1
ii libperlio-gzip-perl 0.18-3+b1
ii perl 5.20.2-6
ii perl-modules [libautodie-perl] 5.20.2-6
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.18.1
ii libhtml-parser-perl 3.71-2
ii libtext-template-perl 1.46-1
ii libyaml-perl 1.13-1
-- no debconf information
Reply to: