--- Begin Message ---
Package: apache2-utils
Version: 2.2.9-7
Severity: minor
Greetings,
Having recently upgraded from a relatively old apache 1.3-era package I have found
a quick script I wrote to periodically syncronise passwords had become unreliable.
Further investigation reveals that htpasswd invoked from this script around 50 times
blocks for long periods. It previously took trivial time (very much less than one
second). Running strace, I see:
$ strace htpasswd -c -b testfile testuser testpass
[much output]
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="gamma", ...}) = 0
brk(0) = 0x804c000
brk(0x806d000) = 0x806d000
stat64("testfile", 0xbfb4f970) = -1 ENOENT (No such file or directory)
open("testfile", O_WRONLY|O_CREAT|O_LARGEFILE, 0666) = 3
close(3) = 0
open("/dev/random", O_RDONLY) = 3
read(3,
Clearly I'm entropy-starved. However, I'd question whether a tool such as htpasswd
cannot do with /dev/urandom. Delving into the code, it uses it to seed rand(3) so
it clearly does not use /dev/random for any purpose where pure entropy is required.
Previously it had used time(2) -- this change to use a blocking function in the APR
is the source of the regression.
Cheers,
Joseph
-- System Information:
Debian Release: lenny/sid
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2-utils depends on:
ii libapr1 1.2.12-4 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8 The Apache Portable Runtime Utilit
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8g-13 SSL shared libraries
apache2-utils recommends no packages.
apache2-utils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apr
Source-Version: 1.2.12-5
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:
apr_1.2.12-5.diff.gz
to pool/main/a/apr/apr_1.2.12-5.diff.gz
apr_1.2.12-5.dsc
to pool/main/a/apr/apr_1.2.12-5.dsc
libapr1-dbg_1.2.12-5_i386.deb
to pool/main/a/apr/libapr1-dbg_1.2.12-5_i386.deb
libapr1-dev_1.2.12-5_i386.deb
to pool/main/a/apr/libapr1-dev_1.2.12-5_i386.deb
libapr1_1.2.12-5_i386.deb
to pool/main/a/apr/libapr1_1.2.12-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 501497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 08 Oct 2008 00:06:56 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.2.12-5
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libapr1 - The Apache Portable Runtime Library
libapr1-dbg - The Apache Portable Runtime Library - Development Headers
libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 501497
Changes:
apr (1.2.12-5) unstable; urgency=low
.
* Actually switch to /dev/urandom instead of only adding a non-functional
patch. Closes: #501497
Checksums-Sha1:
f74c9b1fd1465bdcd0e7359c87bd78a145aeaa72 1256 apr_1.2.12-5.dsc
c00a2bff9d6879f2796643ec941a95201c5d495f 11632 apr_1.2.12-5.diff.gz
91d25c895b3a166bfd7b77ed3167f8a80f63913e 108684 libapr1_1.2.12-5_i386.deb
5e9b7f82629cb788131a47936f23482b4ff70836 806522 libapr1-dev_1.2.12-5_i386.deb
0cf454c50ec640e8145c3ee448d24a964bebee9c 53736 libapr1-dbg_1.2.12-5_i386.deb
Checksums-Sha256:
abea4663470820225fabe5073b352ff6c28934a5327f8cac91b83d5565cc627a 1256 apr_1.2.12-5.dsc
9df24e00c3ebcfb61715b2f4812e63f2dd1dac932ec67e33f665ed772762d45c 11632 apr_1.2.12-5.diff.gz
cd8625a27cb11a417b84c4caf9ceaab8b5bdfd829e52f94a11795361ed528ba4 108684 libapr1_1.2.12-5_i386.deb
c55c5a6ef29f7fb3b10c9dea8f408305700a72c7452167ac77211cb3ddc1745f 806522 libapr1-dev_1.2.12-5_i386.deb
7904c7f9e07ea1b82c0c296704471b655305e7b8cdc4d09f05146f59f4c8f6a4 53736 libapr1-dbg_1.2.12-5_i386.deb
Files:
fe18afa7df72207b93b423b5f525c827 1256 libs optional apr_1.2.12-5.dsc
92be9f2fe4b4106d3d8fd5809693c41f 11632 libs optional apr_1.2.12-5.diff.gz
af2f8f8b9aab9bed463054f9515a2a00 108684 libs optional libapr1_1.2.12-5_i386.deb
b6e2dadd04a3115b53ef6590a526a93a 806522 libdevel optional libapr1-dev_1.2.12-5_i386.deb
98ff02cc3fcd0df8eee05fa877848efa 53736 libdevel extra libapr1-dbg_1.2.12-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI6+Ahbxelr8HyTqQRAp/AAKDXFm9vKrzzCDJ+AatE4+k7+9jTVACgjkdq
2D/9jd4dnmVEj2mdc6VLffI=
=tvEO
-----END PGP SIGNATURE-----
--- End Message ---