Bug#752922: closed by Stefan Fritsch <sf@debian.org> (Bug#711925: fixed in apache2 2.4.10-1)

To: 752922@bugs.debian.org
Cc: Alex Bligh <alex@alex.org.uk>
Subject: Bug#752922: closed by Stefan Fritsch <sf@debian.org> (Bug#711925: fixed in apache2 2.4.10-1)
From: Alex Bligh <alex@alex.org.uk>
Date: Mon, 15 Sep 2014 15:57:05 +0100
Message-id: <[🔎] 15AC6F51-21DA-466D-8E06-5879D676CA53@alex.org.uk>
Reply-to: Alex Bligh <alex@alex.org.uk>, 752922@bugs.debian.org
In-reply-to: <handler.752922.D711925.140612041329598.notifdone@bugs.debian.org>
References: <E1X9w9Q-00030W-4p@franck.debian.org> <20140627193539.8389.94345.reportbug@debiantest> <handler.752922.D711925.140612041329598.notifdone@bugs.debian.org>
This bug has been closed as fixed in 2.4.10-1. However, Utopic 2.4.10-1ubuntu1 which is based on 2.4.10-1 certainly does not include mod_ident in the build. Is this a Debian/Ubuntu difference or was this closed too soon?

On 23 Jul 2014, at 14:03, Debian Bug Tracking System <owner@bugs.debian.org> wrote:

> This is an automatic notification regarding your Bug report
> which was filed against the apache2 package:
> 
> #752922: apache2 upgrade wheezy->jessie breaks certain apache2 modules
> 
> It has been closed by Stefan Fritsch <sf@debian.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Stefan Fritsch <sf@debian.org> by
> replying to this email.
> 
> 
> -- 
> 711925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711925
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems
> 
> From: Stefan Fritsch <sf@debian.org>
> Subject: Bug#711925: fixed in apache2 2.4.10-1
> Date: 23 July 2014 14:00:08 BST
> To: 711925-close@bugs.debian.org
> 
> 
> Source: apache2
> Source-Version: 2.4.10-1
> 
> We believe that the bug you reported is fixed in the latest version of
> apache2, which is due to be installed in the Debian FTP archive.
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 711925@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster@ftp-master.debian.org)
> 
> 
> Signed PGP part
> Format: 1.8
> Date: Tue, 22 Jul 2014 23:16:20 +0200
> Source: apache2
> Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
> Architecture: source i386 all
> Version: 2.4.10-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
> Changed-By: Stefan Fritsch <sf@debian.org>
> Description:
> apache2    - Apache HTTP Server
> apache2-bin - Apache HTTP Server (binary files and modules)
> apache2-data - Apache HTTP Server (common files)
> apache2-dbg - Apache debugging symbols
> apache2-dev - Apache HTTP Server (development headers)
> apache2-doc - Apache HTTP Server (on-site documentation)
> apache2-mpm-event - transitional event MPM package for apache2
> apache2-mpm-itk - transitional itk MPM package for apache2
> apache2-mpm-prefork - transitional prefork MPM package for apache2
> apache2-mpm-worker - transitional worker MPM package for apache2
> apache2-suexec - transitional package for apache2-suexec-pristine
> apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
> apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
> apache2-utils - Apache HTTP Server (utility programs for web servers)
> apache2.2-bin - Transitional package for apache2-bin
> apache2.2-common - Transitional package for apache2
> libapache2-mod-macro - Transitional package for apache2-bin
> libapache2-mod-proxy-html - Transitional package for apache2-bin
> Closes: 709461 711925 716880 751361 752922
> Changes:
> apache2 (2.4.10-1) unstable; urgency=medium
> .
>    [ Arno Töll ]
>    * New upstream version
>      + Refresh debian/patches/fhs_compliance.patch
>      + Security Fixes:
>        - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
>        - CVE-2014-0226 Fix a race condition resulting in a heap overflow in
>          scoreboard handling
>        - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
>          length and compression ratio of inflated request to mitigate a
>          possible DoS
>        - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
>      + Fixes SNI with certificate defined in global scope. (Closes: #751361)
>    * Warn users if they try to disable modules that we consider essential for
>      operation of the Apache web server (Closes: #709461)
>    * Drop libcap from our build-dependencies. That was needed for itk which we
>      gave source out to it's own package again.
>    * Provide apache2.2-common package to avoid upgrading problems for people
>      using --purge (apt) or --purge-unused (aptitude) even though that's
>      clearly discouraged. This caused disappearing of conffiles because we move
>      them from apache2.2-common to apache2 during the upgrade. Ugh. This was
>      not a bug in our packaging, but an unfortunately people blame us
>      nonetheless even though it's not all our fault. This alternative helps
>      those people, but at the same time means that incompatible modules aren't
>      force-removed by dpkg during the upgrade. Hopefully we catch all of them
>      with the Breaks relation coming along (Closes: #716880, #752922, #711925)
> Checksums-Sha1:
> 2013cdfc3c9f1f213b3eafbeb491a30dad2e7215 3218 apache2_2.4.10-1.dsc
> 00f5c3f8274139bd6160eda2cf514fa9b74549e5 5031834 apache2_2.4.10.orig.tar.bz2
> 06b5ae4315559b288a3bc5000779c69f1e1682e4 438288 apache2_2.4.10-1.debian.tar.xz
> 586384adc74d32bc424f19b8fdce9cbd7e754774 1510 libapache2-mod-proxy-html_2.4.10-1_i386.deb
> b8d56e11f355f57bbaff3d7469257c4aabb81401 1492 libapache2-mod-macro_2.4.10-1_i386.deb
> 060ea2b5a60ba16d8db03b3a44a92e6b78defa50 200592 apache2_2.4.10-1_i386.deb
> 22d592f15abdff5d7f0ce69f75a7a098815a50c6 162592 apache2-data_2.4.10-1_all.deb
> 8cb23df407a5f58aff92e9d37c1e6a0bbc809b1e 1047466 apache2-bin_2.4.10-1_i386.deb
> d26d6de3b5252d80c3d8c3f1980ee6f38e7a0f19 1508 apache2-mpm-worker_2.4.10-1_i386.deb
> 4dab37bbf741e26d8eb80600646535a6d523f044 1514 apache2-mpm-prefork_2.4.10-1_i386.deb
> e5937e9a1569226a7a937a4d4a53565e8d764348 1508 apache2-mpm-event_2.4.10-1_i386.deb
> 07d8afe1cfd6fe92aa2ff0ab7022c2cd41164848 1508 apache2-mpm-itk_2.4.10-1_i386.deb
> 58bebda2d27dcd04ce4513ef6ab852f1b6102691 1524 apache2.2-bin_2.4.10-1_i386.deb
> 9add3c1895678a28ae051b62e1ce48c604275647 120734 apache2.2-common_2.4.10-1_i386.deb
> 4f5e80b535fbb801315cd8478f90cc1fdda69de2 195186 apache2-utils_2.4.10-1_i386.deb
> 86bf00dce625a7b1ba80adeadc2fb410797caece 1482 apache2-suexec_2.4.10-1_i386.deb
> 3aa3c2ad901649fe2a83750791c7ccf6666ecb75 126318 apache2-suexec-pristine_2.4.10-1_i386.deb
> 45c2084157a792481cc6694ddd9ecf1cc34cf44c 127860 apache2-suexec-custom_2.4.10-1_i386.deb
> b587419d8a72cb7ce644a1b7e73324832ac6c3f5 2723100 apache2-doc_2.4.10-1_all.deb
> fdd82ccbba39d2860490da7b6853f010d65cb226 277382 apache2-dev_2.4.10-1_i386.deb
> 386c848cb21553045db5eae1618bdd30129f304b 1527018 apache2-dbg_2.4.10-1_i386.deb
> Checksums-Sha256:
> 04485d83cb0440707d078163a544b676dc4df5918638cc30567f8cb19588b560 3218 apache2_2.4.10-1.dsc
> 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a 5031834 apache2_2.4.10.orig.tar.bz2
> c054bfe4cb4b72bc0423188b428041272c039a86455d84a55801c0e723c88a3b 438288 apache2_2.4.10-1.debian.tar.xz
> a29fcc788de1c114e3a0d9a4a6d1141209b43aeb07c927c391a6481bc6290c2d 1510 libapache2-mod-proxy-html_2.4.10-1_i386.deb
> 8c90d686a83544769d4bf7fe90cfbfc556cf0fda5bb32dd1cd3ec0502bd53ff2 1492 libapache2-mod-macro_2.4.10-1_i386.deb
> acb17a04a8224b207e965dfada8ca2ba667eec36e43f03daca339a72b3e4bc36 200592 apache2_2.4.10-1_i386.deb
> 1c127e0c2b68e0274ba12b57211024de0391f9fb7f9efc348191ce348ce6c2b8 162592 apache2-data_2.4.10-1_all.deb
> 2f2c1b8523eb9df9cd945256fb79d7e66c794038ab6d466f156b3f4a2efb28fe 1047466 apache2-bin_2.4.10-1_i386.deb
> cd20ccd473be218a037540c2303761c5c18917f508d56287cece82941b7e65c0 1508 apache2-mpm-worker_2.4.10-1_i386.deb
> 1944268644ba9cd95b905eae6c19166c8961591f8777f78a94dfcef786173d38 1514 apache2-mpm-prefork_2.4.10-1_i386.deb
> 8a55f0b844d7da06f64162fa30b6132715b359bc02a6f620dead27544451859f 1508 apache2-mpm-event_2.4.10-1_i386.deb
> 4d1ba650e74603af8be4d05f25a19cf11e878499f9e8b69065e8c60ab437d117 1508 apache2-mpm-itk_2.4.10-1_i386.deb
> a08282a5249e73c965be0b6b140c86bd5696c01ac0473bd833d05908d252b289 1524 apache2.2-bin_2.4.10-1_i386.deb
> 160e82b982d69b7c3f03aa2d2d605456704778dea40336a2131798811f3dc367 120734 apache2.2-common_2.4.10-1_i386.deb
> 6bf38fa77e978f860e1d5295c4433fc86ff422fb88d44f1a751163fc52b95a07 195186 apache2-utils_2.4.10-1_i386.deb
> a497aa62e507c4f3b1eada1184b0ba976b2d2435c980ac51ee6e0a7f6ab25687 1482 apache2-suexec_2.4.10-1_i386.deb
> a8e91f947402c55bb6796e63fc48d7d945fe01924548aee7c6ec312d0b52dd59 126318 apache2-suexec-pristine_2.4.10-1_i386.deb
> 56e2275b0b060bea09793046cb798aee49686256b20d847732c97cd213880b9d 127860 apache2-suexec-custom_2.4.10-1_i386.deb
> ffc33f6c7c09b44aa3ad7ec061798dbc68d1e45f7d8617bbde34f4f907e39e62 2723100 apache2-doc_2.4.10-1_all.deb
> a3f0afedfe52e4b86b4dcbfacb27912e8a608b04e254e4f68ac93c0d61c7d39d 277382 apache2-dev_2.4.10-1_i386.deb
> 48e3b714dc5713d2904d1e950297398aeb3add95ea4887913b078f0f27d3d28d 1527018 apache2-dbg_2.4.10-1_i386.deb
> Files:
> ec308851198083b0fae2744f9618dcea 1510 oldlibs extra libapache2-mod-proxy-html_2.4.10-1_i386.deb
> 70506c70c2b772cc4e9e45fdfeac4fd4 1492 oldlibs extra libapache2-mod-macro_2.4.10-1_i386.deb
> 29ebfa68ec50f98ab35172c3f1c58e23 200592 httpd optional apache2_2.4.10-1_i386.deb
> 765cb731f27196675bb6a6a0b676dfe5 162592 httpd optional apache2-data_2.4.10-1_all.deb
> 924ef3cbfb4ea2587d6da241551ecbcc 1047466 httpd optional apache2-bin_2.4.10-1_i386.deb
> 7e0228b66c2a891c08b5edb59e47ca57 1508 oldlibs extra apache2-mpm-worker_2.4.10-1_i386.deb
> f04b2fc544775adf9c7971f990cd5eef 1514 oldlibs extra apache2-mpm-prefork_2.4.10-1_i386.deb
> edd44817eafa977770e6ee801c09735e 1508 oldlibs extra apache2-mpm-event_2.4.10-1_i386.deb
> 47f95a8d1b5c7b25f77165f160b987b7 1508 oldlibs extra apache2-mpm-itk_2.4.10-1_i386.deb
> 9663f2c726462cd3d18db55e0f00f791 1524 oldlibs extra apache2.2-bin_2.4.10-1_i386.deb
> 518bd4a1aea46ed676ee834a687c9fc8 120734 oldlibs extra apache2.2-common_2.4.10-1_i386.deb
> 8de91142a96c19001909cbd2b0dd770e 195186 httpd optional apache2-utils_2.4.10-1_i386.deb
> e811af97e9a84851851ffa32dc1a0956 1482 oldlibs extra apache2-suexec_2.4.10-1_i386.deb
> af03254d02c4bfd6c1e27cac80a68b2c 126318 httpd optional apache2-suexec-pristine_2.4.10-1_i386.deb
> 878c8e2722a72a4d62dae5fadd97722d 127860 httpd extra apache2-suexec-custom_2.4.10-1_i386.deb
> e502d43c348fb4af62a475bf2ac0c68c 2723100 doc optional apache2-doc_2.4.10-1_all.deb
> f648a50a9d417501655ec9fb26298f5a 277382 httpd optional apache2-dev_2.4.10-1_i386.deb
> 786dd3cabdc7b7bdfdf23954f1c0cff0 1527018 debug extra apache2-dbg_2.4.10-1_i386.deb
> 31c37885d7cb41e97b9edb7531c0e3cd 3218 httpd optional apache2_2.4.10-1.dsc
> 44543dff14a4ebc1e9e2d86780507156 5031834 httpd optional apache2_2.4.10.orig.tar.bz2
> 75548a0e0564df47c26c84cc4c92bc60 438288 httpd optional apache2_2.4.10-1.debian.tar.xz
> 
> 
> 
> From: Alex Bligh <alex@alex.org.uk>
> Subject: apache2 upgrade wheezy->jessie breaks certain apache2 modules
> Date: 27 June 2014 20:35:39 BST
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> 
> 
> Package: apache2
> Version: 2.4.9-2
> Severity: important
> 
> Dear Maintainer,
> 
> Upgrading from stable (wheezy) to testing (jessie) permanently breaks certain apache2 modules.
> 
> This bug has also been filed for Ubuntu:
>  https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1333388
> but the Ubuntu folks suggested this should be fixed upstream so I am filing the bug report here. This report should be a bit easier to read.
> 
> When stable is upgraded to testing, apache 2.2 is replaced by apache 2.4. Under apache 2.4, the default set of modules build is different to that under apache 2.2, and certain modules (e.g. mod_ident, which is the one that bit me) are not built, and are not included by default in the apache 2.4 package. Nor are they included in any other package.
> 
> This is in itself a problem, because any systems relying on these modules will not survive the upgrade.
> 
> Worse, though is what happens after an upgrade. I rebuilt mod_ident as a separate .deb in the hope it would work and could be contributed back:
> 
>  https://github.com/abligh/libapache-mod-ident
> 
> However, this exposes a conffile handling issue which is hard to work around in any normal manner.
> 
> The issue is as follows. When apache2.2-common is installed, it has a conffile for the .load file of the relevant module. In this instance:
> 
> root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
> /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f
> 
> When this is upgraded to jessie (using fist-upgrade), the conffile is (correctly) removed, but the record of the conffile still exists under the apache2.2-common package.
> 
> During install we see:
> Removing apache2.2-common (2.2.22-13+deb7u1) ...
> (Reading database ... 14345 files and directories currently installed.)
> Preparing to unpack .../apache2_2.4.9-2_amd64.deb ...
> Moving obsolete conffile /etc/apache2/mods-available/authz_default.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/authn_default.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/mem_cache.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/mem_cache.conf out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/authn_alias.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/cern_meta.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/disk_cache.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/disk_cache.conf out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/ident.load out of the way...
> Moving obsolete conffile /etc/apache2/mods-available/imagemap.load out of the way...
> Unpacking apache2 (2.4.9-2) over (2.2.22-13+deb7u1) ...
> 
> 
> but then afterwards:
> 
> root@debiantest:~# dpkg --list | fgrep apache
> ii  apache2                       2.4.9-2               amd64        Apache HTTP Server
> ii  apache2-bin                   2.4.9-2               amd64        Apache HTTP Server (binary files and modules)
> ii  apache2-data                  2.4.9-2               all          Apache HTTP Server (common files)
> ii  apache2-mpm-worker            2.4.9-2               amd64        transitional worker MPM package for apache2
> ii  apache2-utils                 2.4.9-2               amd64        Apache HTTP Server (utility programs for web servers)
> ii  apache2.2-bin                 2.4.9-2               amd64        Transitional package for apache2-bin
> rc  apache2.2-common              2.2.22-13+deb7u1      amd64        Apache HTTP Server common files
> root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep ident
> /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f
> 
> 
> Now imagine you have another package which depends on mod_ident to work. It can:
> 
>  Depends: apache2, apache2.2-bin | libapache2-mod-ident
> 
> which means it will pull in another libapache2-mod-ident module for apache 2.4 at the time of the upgrade as apache2.2-bin will be removed.
> 
> However, this then won't install the conffile above as apache2.2-common owns it. Adding Replaces: Breaks: to the 2.4 module is insufficient as thought this marks apache2.2's entry for the conffile as obsolete, the .load file still doesn't get installed. Commit cb55f139c661cd345f1e1234a977f6c17b653bd1 to the version of mod_ident above works around this in a fairly disgusting manner, i.e. Replaces: Breaks:, plus copying the file in manually in the .postinst if it's not already there.
> 
> In summary, the change to 2.4 makes it VERY HARD to safely upgrade from wheezy to jessie if a program relies upon the relevant modules. I can see why the auth modules might have been deprecated, but I see no reason why the ident module should have been.
> 
> I would suggest:
> * Produce a apache2-mod-extra package containing the non-default modules (i.e. build with the 'reallyall' parameter to configure but put these extra modules in a separate package);
> or
> * Build the excised modules into separate packages; or
> * Reinstate these to the main package
> 
> The problem with the third option is now any users of these will have worked around the problem by producing their own package, an updated version which reinstates them will break that package.
> 
> The full list of modules affected is (I think):
> authn_alias
> authn_default
> authz_default
> cern_meta
> disk_cache
> ident
> imagemap
> mem_cache
> version
> 
> 
> 
> -- Package-specific info:
> 
> -- System Information:
> Debian Release: jessie/sid
>  APT prefers testing
>  APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.13.0-29-generic (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages apache2 depends on:
> ii  apache2-bin   2.4.9-2
> ii  apache2-data  2.4.9-2
> ii  lsb-base      4.1+Debian13
> ii  mime-support  3.56
> ii  perl          5.18.2-4
> ii  procps        1:3.3.9-5
> 
> Versions of packages apache2 recommends:
> ii  ssl-cert  1.0.34
> 
> Versions of packages apache2 suggests:
> pn  apache2-doc                                      <none>
> pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
> ii  apache2-utils                                    2.4.9-2
> pn  www-browser                                      <none>
> 
> Versions of packages apache2-bin depends on:
> ii  libapr1                  1.5.1-2
> ii  libaprutil1              1.5.3-2
> ii  libaprutil1-dbd-sqlite3  1.5.3-2
> ii  libaprutil1-ldap         1.5.3-2
> ii  libc6                    2.19-3
> ii  libldap-2.4-2            2.4.39-1
> ii  liblua5.1-0              5.1.5-5
> ii  libpcre3                 1:8.31-5
> ii  libssl1.0.0              1.0.1h-3
> ii  libxml2                  2.9.1+dfsg1-3
> ii  perl                     5.18.2-4
> ii  zlib1g                   1:1.2.8.dfsg-1
> 
> Versions of packages apache2-bin suggests:
> pn  apache2-doc                                      <none>
> pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
> pn  www-browser                                      <none>
> 
> Versions of packages apache2 is related to:
> ii  apache2      2.4.9-2
> ii  apache2-bin  2.4.9-2
> 
> -- no debconf information
> 
> 

-- 
Alex Bligh
Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail
Reply to:
Follow-Ups:
- Bug#752922: obsolete modules / mod_ident
  - From: Stefan Fritsch <sf@sfritsch.de>
Prev by Date: Bug#760901: apache2: On kfreebsd fails to start with default config due to wrong locking mechanism
Next by Date: Bug#761732: apr: libtool split: package needs a b-d on libtool-bin (or avoid using the libtool binary)
Previous by thread: Bug#760901: apache2: On kfreebsd fails to start with default config due to wrong locking mechanism
Next by thread: Bug#752922: obsolete modules / mod_ident
Index(es):
- Date
- Thread