Package: libapache2-mod-security2 Version: 2.9.1-2 Severity: important Dear Maintainer,
if you install libapache2-mod-security2 without also installing modsecurity-crs and then restart httpd there is a syntax error and the service goes down. The reason is in the file /etc/apache2/mods-available/security2.conf on line 12: # Include OWASP ModSecurity CRS rules if installed IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load Clearly the intention here from the comment and using IncludeOptional is to only load this if it exists. The bug is that this syntax does NOT make it optional but behaves like an Include. So if you don't have that file, which comes from modsecurity-crs, which is a recommendation but not a dependency things break. Upstream apache httpd docs say about IncludeOptional: " It works identically to the Include directive, but it will be silently ignored (instead of causing an error) if wildcards are used and they do not match any file or directory or if a file path does not exist on the file system." The key word here is "wildcards" and the logical "and". In the line above there are no wildcards, it's just a path to a single file. This means the IncludeOptional is NOT optional, which means: Could not open configuration file /usr/share/modsecurity-crs/owasp-crs.load: No such file or directory and then finally: Syntax error on line 12 of /etc/apache2/mods-enabled/security2.conf and the service going down. It seems really not obvious that IncludeOptional is not always optional so I don't think that will be the only case and the impact was quite severe. also see: https://httpd.apache.org/docs/2.4/mod/core.html#includeoptional -- System Information: Debian Release: 9.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/24 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-security2 depends on: ii apache2-bin [apache2-api-20120211] 2.4.25-3+deb9u9 ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libc6 2.24-11+deb9u4 ii libcurl3-gnutls 7.52.1-5+deb9u11 ii liblua5.1-0 5.1.5-8.1+b2 ii libpcre3 2:8.39-3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii libyajl2 2.1.0-2+b3 Versions of packages libapache2-mod-security2 recommends: ii modsecurity-crs 3.0.0-3 libapache2-mod-security2 suggests no packages. -- no debconf information
