[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#799105: Broken mod_dav_svn and mod_auth_kerb joint operation

Package: apache2-bin
Version: 2.4.10-10+deb8u3
Severity: important

Upgrade of the package "apache2-bin" in stable release (Jessie) from
2.4.10-10 to 2.4.10-10+deb8u3 has broken the joint operation of modules
"mod_dav_svn" (libapache2-mod-svn) and "mod_auth_kerb"

Both modules go on to work fine taken separately. But together they
became unusable. The web server now refuses to authenticate any SVN user
by kerberos (GSSAPI). Apache does not even try to start SPNEGO mechanism
process and does not send the corresponding HTTP header to browser
anymore, so authentication fails.

In version 2.4.10-10 before upgrade everything was fine. I suppose, the
bug is caused by some code changes during DSA-3325-1 security fixing.

The sample apache configuration to reproduce:

<VirtualHost *:80>
        ServerName svn.foo.bar

        ServerAdmin stas@foo.bar
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/004-svn-error.log
        CustomLog ${APACHE_LOG_DIR}/004-svn-access.log combined

        AssignUserID svn svn

     <Location />
        AuthType Kerberos
        AuthName "Please login to proceed"
        KrbAuthRealms FOO.BAR
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/apache.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd off
        KrbLocalUserMapping On
        Require valid-user

        DAV svn
        SVNParentPath /var/lib/svn
        AuthzSVNAccessFile /etc/apache2/dav_svn.authz


The same issue affected Ubuntu users as well:

-- Package-specific info:

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.19-18+deb8u1
ii  libldap-2.4-2            2.4.40+dfsg-1+deb8u1
ii  liblua5.1-0              5.1.5-7.1
ii  libpcre3                 2:8.35-3.3
ii  libssl1.0.0              1.0.1k-3+deb8u1
ii  libxml2                  2.9.1+dfsg1-5
ii  perl                     5.20.2-3+deb8u1
ii  zlib1g                   1:1.2.8.dfsg-2+b1

apache2-bin recommends no packages.

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 depends on:
ii  apache2-data   2.4.10-10+deb8u3
ii  apache2-utils  2.4.10-10+deb8u3
ii  dpkg           1.17.25
ii  lsb-base       4.1+Debian13+nmu1
ii  mime-support   3.58
ii  perl           5.20.2-3+deb8u1
ii  procps         2:3.3.9-9

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.35

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin is related to:
ii  apache2      2.4.10-10+deb8u3
ii  apache2-bin  2.4.10-10+deb8u3

-- no debconf information

Reply to: