[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#752922: marked as done (apache2 upgrade wheezy->jessie breaks certain apache2 modules)

Your message dated Wed, 23 Jul 2014 13:00:08 +0000
with message-id <E1X9w9Q-00030W-4p@franck.debian.org>
and subject line Bug#711925: fixed in apache2 2.4.10-1
has caused the Debian Bug report #711925,
regarding apache2 upgrade wheezy->jessie breaks certain apache2 modules
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

711925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711925
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.9-2
Severity: important

Dear Maintainer,

Upgrading from stable (wheezy) to testing (jessie) permanently breaks certain apache2 modules.

This bug has also been filed for Ubuntu:
but the Ubuntu folks suggested this should be fixed upstream so I am filing the bug report here. This report should be a bit easier to read.

When stable is upgraded to testing, apache 2.2 is replaced by apache 2.4. Under apache 2.4, the default set of modules build is different to that under apache 2.2, and certain modules (e.g. mod_ident, which is the one that bit me) are not built, and are not included by default in the apache 2.4 package. Nor are they included in any other package.

This is in itself a problem, because any systems relying on these modules will not survive the upgrade.

Worse, though is what happens after an upgrade. I rebuilt mod_ident as a separate .deb in the hope it would work and could be contributed back:


However, this exposes a conffile handling issue which is hard to work around in any normal manner.

The issue is as follows. When apache2.2-common is installed, it has a conffile for the .load file of the relevant module. In this instance:

root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
 /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f

When this is upgraded to jessie (using fist-upgrade), the conffile is (correctly) removed, but the record of the conffile still exists under the apache2.2-common package.

During install we see:
Removing apache2.2-common (2.2.22-13+deb7u1) ...
(Reading database ... 14345 files and directories currently installed.)
Preparing to unpack .../apache2_2.4.9-2_amd64.deb ...
Moving obsolete conffile /etc/apache2/mods-available/authz_default.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/authn_default.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/mem_cache.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/mem_cache.conf out of the way...
Moving obsolete conffile /etc/apache2/mods-available/authn_alias.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/cern_meta.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/disk_cache.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/disk_cache.conf out of the way...
Moving obsolete conffile /etc/apache2/mods-available/ident.load out of the way...
Moving obsolete conffile /etc/apache2/mods-available/imagemap.load out of the way...
Unpacking apache2 (2.4.9-2) over (2.2.22-13+deb7u1) ...

but then afterwards:

root@debiantest:~# dpkg --list | fgrep apache
ii  apache2                       2.4.9-2               amd64        Apache HTTP Server
ii  apache2-bin                   2.4.9-2               amd64        Apache HTTP Server (binary files and modules)
ii  apache2-data                  2.4.9-2               all          Apache HTTP Server (common files)
ii  apache2-mpm-worker            2.4.9-2               amd64        transitional worker MPM package for apache2
ii  apache2-utils                 2.4.9-2               amd64        Apache HTTP Server (utility programs for web servers)
ii  apache2.2-bin                 2.4.9-2               amd64        Transitional package for apache2-bin
rc  apache2.2-common              2.2.22-13+deb7u1      amd64        Apache HTTP Server common files
root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
 /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f

Now imagine you have another package which depends on mod_ident to work. It can:

  Depends: apache2, apache2.2-bin | libapache2-mod-ident

which means it will pull in another libapache2-mod-ident module for apache 2.4 at the time of the upgrade as apache2.2-bin will be removed.

However, this then won't install the conffile above as apache2.2-common owns it. Adding Replaces: Breaks: to the 2.4 module is insufficient as thought this marks apache2.2's entry for the conffile as obsolete, the .load file still doesn't get installed. Commit cb55f139c661cd345f1e1234a977f6c17b653bd1 to the version of mod_ident above works around this in a fairly disgusting manner, i.e. Replaces: Breaks:, plus copying the file in manually in the .postinst if it's not already there.

In summary, the change to 2.4 makes it VERY HARD to safely upgrade from wheezy to jessie if a program relies upon the relevant modules. I can see why the auth modules might have been deprecated, but I see no reason why the ident module should have been.

I would suggest:
* Produce a apache2-mod-extra package containing the non-default modules (i.e. build with the 'reallyall' parameter to configure but put these extra modules in a separate package);
* Build the excised modules into separate packages; or
* Reinstate these to the main package

The problem with the third option is now any users of these will have worked around the problem by producing their own package, an updated version which reinstates them will break that package.

The full list of modules affected is (I think):

-- Package-specific info:

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13.0-29-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-bin   2.4.9-2
ii  apache2-data  2.4.9-2
ii  lsb-base      4.1+Debian13
ii  mime-support  3.56
ii  perl          5.18.2-4
ii  procps        1:3.3.9-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.34

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  apache2-utils                                    2.4.9-2
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-2
ii  libaprutil1              1.5.3-2
ii  libaprutil1-dbd-sqlite3  1.5.3-2
ii  libaprutil1-ldap         1.5.3-2
ii  libc6                    2.19-3
ii  libldap-2.4-2            2.4.39-1
ii  liblua5.1-0              5.1.5-5
ii  libpcre3                 1:8.31-5
ii  libssl1.0.0              1.0.1h-3
ii  libxml2                  2.9.1+dfsg1-3
ii  perl                     5.18.2-4
ii  zlib1g                   1:1.2.8.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.9-2
ii  apache2-bin  2.4.9-2

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.10-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 711925@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA256

Format: 1.8
Date: Tue, 22 Jul 2014 23:16:20 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source i386 all
Version: 2.4.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (binary files and modules)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
 apache2.2-common - Transitional package for apache2
 libapache2-mod-macro - Transitional package for apache2-bin
 libapache2-mod-proxy-html - Transitional package for apache2-bin
Closes: 709461 711925 716880 751361 752922
 apache2 (2.4.10-1) unstable; urgency=medium
   [ Arno Töll ]
   * New upstream version
     + Refresh debian/patches/fhs_compliance.patch
     + Security Fixes:
       - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
       - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
         scoreboard handling
       - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
         length and compression ratio of inflated request to mitigate a
         possible DoS
       - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
     + Fixes SNI with certificate defined in global scope. (Closes: #751361)
   * Warn users if they try to disable modules that we consider essential for
     operation of the Apache web server (Closes: #709461)
   * Drop libcap from our build-dependencies. That was needed for itk which we
     gave source out to it's own package again.
   * Provide apache2.2-common package to avoid upgrading problems for people
     using --purge (apt) or --purge-unused (aptitude) even though that's
     clearly discouraged. This caused disappearing of conffiles because we move
     them from apache2.2-common to apache2 during the upgrade. Ugh. This was
     not a bug in our packaging, but an unfortunately people blame us
     nonetheless even though it's not all our fault. This alternative helps
     those people, but at the same time means that incompatible modules aren't
     force-removed by dpkg during the upgrade. Hopefully we catch all of them
     with the Breaks relation coming along (Closes: #716880, #752922, #711925)
 2013cdfc3c9f1f213b3eafbeb491a30dad2e7215 3218 apache2_2.4.10-1.dsc
 00f5c3f8274139bd6160eda2cf514fa9b74549e5 5031834 apache2_2.4.10.orig.tar.bz2
 06b5ae4315559b288a3bc5000779c69f1e1682e4 438288 apache2_2.4.10-1.debian.tar.xz
 586384adc74d32bc424f19b8fdce9cbd7e754774 1510 libapache2-mod-proxy-html_2.4.10-1_i386.deb
 b8d56e11f355f57bbaff3d7469257c4aabb81401 1492 libapache2-mod-macro_2.4.10-1_i386.deb
 060ea2b5a60ba16d8db03b3a44a92e6b78defa50 200592 apache2_2.4.10-1_i386.deb
 22d592f15abdff5d7f0ce69f75a7a098815a50c6 162592 apache2-data_2.4.10-1_all.deb
 8cb23df407a5f58aff92e9d37c1e6a0bbc809b1e 1047466 apache2-bin_2.4.10-1_i386.deb
 d26d6de3b5252d80c3d8c3f1980ee6f38e7a0f19 1508 apache2-mpm-worker_2.4.10-1_i386.deb
 4dab37bbf741e26d8eb80600646535a6d523f044 1514 apache2-mpm-prefork_2.4.10-1_i386.deb
 e5937e9a1569226a7a937a4d4a53565e8d764348 1508 apache2-mpm-event_2.4.10-1_i386.deb
 07d8afe1cfd6fe92aa2ff0ab7022c2cd41164848 1508 apache2-mpm-itk_2.4.10-1_i386.deb
 58bebda2d27dcd04ce4513ef6ab852f1b6102691 1524 apache2.2-bin_2.4.10-1_i386.deb
 9add3c1895678a28ae051b62e1ce48c604275647 120734 apache2.2-common_2.4.10-1_i386.deb
 4f5e80b535fbb801315cd8478f90cc1fdda69de2 195186 apache2-utils_2.4.10-1_i386.deb
 86bf00dce625a7b1ba80adeadc2fb410797caece 1482 apache2-suexec_2.4.10-1_i386.deb
 3aa3c2ad901649fe2a83750791c7ccf6666ecb75 126318 apache2-suexec-pristine_2.4.10-1_i386.deb
 45c2084157a792481cc6694ddd9ecf1cc34cf44c 127860 apache2-suexec-custom_2.4.10-1_i386.deb
 b587419d8a72cb7ce644a1b7e73324832ac6c3f5 2723100 apache2-doc_2.4.10-1_all.deb
 fdd82ccbba39d2860490da7b6853f010d65cb226 277382 apache2-dev_2.4.10-1_i386.deb
 386c848cb21553045db5eae1618bdd30129f304b 1527018 apache2-dbg_2.4.10-1_i386.deb
 04485d83cb0440707d078163a544b676dc4df5918638cc30567f8cb19588b560 3218 apache2_2.4.10-1.dsc
 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a 5031834 apache2_2.4.10.orig.tar.bz2
 c054bfe4cb4b72bc0423188b428041272c039a86455d84a55801c0e723c88a3b 438288 apache2_2.4.10-1.debian.tar.xz
 a29fcc788de1c114e3a0d9a4a6d1141209b43aeb07c927c391a6481bc6290c2d 1510 libapache2-mod-proxy-html_2.4.10-1_i386.deb
 8c90d686a83544769d4bf7fe90cfbfc556cf0fda5bb32dd1cd3ec0502bd53ff2 1492 libapache2-mod-macro_2.4.10-1_i386.deb
 acb17a04a8224b207e965dfada8ca2ba667eec36e43f03daca339a72b3e4bc36 200592 apache2_2.4.10-1_i386.deb
 1c127e0c2b68e0274ba12b57211024de0391f9fb7f9efc348191ce348ce6c2b8 162592 apache2-data_2.4.10-1_all.deb
 2f2c1b8523eb9df9cd945256fb79d7e66c794038ab6d466f156b3f4a2efb28fe 1047466 apache2-bin_2.4.10-1_i386.deb
 cd20ccd473be218a037540c2303761c5c18917f508d56287cece82941b7e65c0 1508 apache2-mpm-worker_2.4.10-1_i386.deb
 1944268644ba9cd95b905eae6c19166c8961591f8777f78a94dfcef786173d38 1514 apache2-mpm-prefork_2.4.10-1_i386.deb
 8a55f0b844d7da06f64162fa30b6132715b359bc02a6f620dead27544451859f 1508 apache2-mpm-event_2.4.10-1_i386.deb
 4d1ba650e74603af8be4d05f25a19cf11e878499f9e8b69065e8c60ab437d117 1508 apache2-mpm-itk_2.4.10-1_i386.deb
 a08282a5249e73c965be0b6b140c86bd5696c01ac0473bd833d05908d252b289 1524 apache2.2-bin_2.4.10-1_i386.deb
 160e82b982d69b7c3f03aa2d2d605456704778dea40336a2131798811f3dc367 120734 apache2.2-common_2.4.10-1_i386.deb
 6bf38fa77e978f860e1d5295c4433fc86ff422fb88d44f1a751163fc52b95a07 195186 apache2-utils_2.4.10-1_i386.deb
 a497aa62e507c4f3b1eada1184b0ba976b2d2435c980ac51ee6e0a7f6ab25687 1482 apache2-suexec_2.4.10-1_i386.deb
 a8e91f947402c55bb6796e63fc48d7d945fe01924548aee7c6ec312d0b52dd59 126318 apache2-suexec-pristine_2.4.10-1_i386.deb
 56e2275b0b060bea09793046cb798aee49686256b20d847732c97cd213880b9d 127860 apache2-suexec-custom_2.4.10-1_i386.deb
 ffc33f6c7c09b44aa3ad7ec061798dbc68d1e45f7d8617bbde34f4f907e39e62 2723100 apache2-doc_2.4.10-1_all.deb
 a3f0afedfe52e4b86b4dcbfacb27912e8a608b04e254e4f68ac93c0d61c7d39d 277382 apache2-dev_2.4.10-1_i386.deb
 48e3b714dc5713d2904d1e950297398aeb3add95ea4887913b078f0f27d3d28d 1527018 apache2-dbg_2.4.10-1_i386.deb
 ec308851198083b0fae2744f9618dcea 1510 oldlibs extra libapache2-mod-proxy-html_2.4.10-1_i386.deb
 70506c70c2b772cc4e9e45fdfeac4fd4 1492 oldlibs extra libapache2-mod-macro_2.4.10-1_i386.deb
 29ebfa68ec50f98ab35172c3f1c58e23 200592 httpd optional apache2_2.4.10-1_i386.deb
 765cb731f27196675bb6a6a0b676dfe5 162592 httpd optional apache2-data_2.4.10-1_all.deb
 924ef3cbfb4ea2587d6da241551ecbcc 1047466 httpd optional apache2-bin_2.4.10-1_i386.deb
 7e0228b66c2a891c08b5edb59e47ca57 1508 oldlibs extra apache2-mpm-worker_2.4.10-1_i386.deb
 f04b2fc544775adf9c7971f990cd5eef 1514 oldlibs extra apache2-mpm-prefork_2.4.10-1_i386.deb
 edd44817eafa977770e6ee801c09735e 1508 oldlibs extra apache2-mpm-event_2.4.10-1_i386.deb
 47f95a8d1b5c7b25f77165f160b987b7 1508 oldlibs extra apache2-mpm-itk_2.4.10-1_i386.deb
 9663f2c726462cd3d18db55e0f00f791 1524 oldlibs extra apache2.2-bin_2.4.10-1_i386.deb
 518bd4a1aea46ed676ee834a687c9fc8 120734 oldlibs extra apache2.2-common_2.4.10-1_i386.deb
 8de91142a96c19001909cbd2b0dd770e 195186 httpd optional apache2-utils_2.4.10-1_i386.deb
 e811af97e9a84851851ffa32dc1a0956 1482 oldlibs extra apache2-suexec_2.4.10-1_i386.deb
 af03254d02c4bfd6c1e27cac80a68b2c 126318 httpd optional apache2-suexec-pristine_2.4.10-1_i386.deb
 878c8e2722a72a4d62dae5fadd97722d 127860 httpd extra apache2-suexec-custom_2.4.10-1_i386.deb
 e502d43c348fb4af62a475bf2ac0c68c 2723100 doc optional apache2-doc_2.4.10-1_all.deb
 f648a50a9d417501655ec9fb26298f5a 277382 httpd optional apache2-dev_2.4.10-1_i386.deb
 786dd3cabdc7b7bdfdf23954f1c0cff0 1527018 debug extra apache2-dbg_2.4.10-1_i386.deb
 31c37885d7cb41e97b9edb7531c0e3cd 3218 httpd optional apache2_2.4.10-1.dsc
 44543dff14a4ebc1e9e2d86780507156 5031834 httpd optional apache2_2.4.10.orig.tar.bz2
 75548a0e0564df47c26c84cc4c92bc60 438288 httpd optional apache2_2.4.10-1.debian.tar.xz

Version: GnuPG v1


--- End Message ---

Reply to: