Bug#799105: Broken mod_dav_svn and mod_auth_kerb joint operation
Package: apache2-bin
Version: 2.4.10-10+deb8u3
Severity: important
Upgrade of the package "apache2-bin" in stable release (Jessie) from
2.4.10-10 to 2.4.10-10+deb8u3 has broken the joint operation of modules
"mod_dav_svn" (libapache2-mod-svn) and "mod_auth_kerb"
(libapache2-mod-auth-kerb).
Both modules go on to work fine taken separately. But together they
became unusable. The web server now refuses to authenticate any SVN user
by kerberos (GSSAPI). Apache does not even try to start SPNEGO mechanism
process and does not send the corresponding HTTP header to browser
anymore, so authentication fails.
In version 2.4.10-10 before upgrade everything was fine. I suppose, the
bug is caused by some code changes during DSA-3325-1 security fixing.
The sample apache configuration to reproduce:
<VirtualHost *:80>
ServerName svn.foo.bar
ServerAdmin stas@foo.bar
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/004-svn-error.log
CustomLog ${APACHE_LOG_DIR}/004-svn-access.log combined
AssignUserID svn svn
<Location />
AuthType Kerberos
AuthName "Please login to proceed"
KrbAuthRealms FOO.BAR
KrbServiceName HTTP
Krb5Keytab /etc/apache2/apache.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping On
Require valid-user
DAV svn
SVNParentPath /var/lib/svn
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
</Location>
</VirtualHost>
The same issue affected Ubuntu users as well:
http://askubuntu.com/questions/667890/mod-auth-kerb-apache-2-4-not-authenticating-for-sub-folders
-- Package-specific info:
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2-bin depends on:
ii libapr1 1.5.1-3
ii libaprutil1 1.5.4-1
ii libaprutil1-dbd-sqlite3 1.5.4-1
ii libaprutil1-ldap 1.5.4-1
ii libc6 2.19-18+deb8u1
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u1
ii liblua5.1-0 5.1.5-7.1
ii libpcre3 2:8.35-3.3
ii libssl1.0.0 1.0.1k-3+deb8u1
ii libxml2 2.9.1+dfsg1-5
ii perl 5.20.2-3+deb8u1
ii zlib1g 1:1.2.8.dfsg-2+b1
apache2-bin recommends no packages.
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 depends on:
ii apache2-data 2.4.10-10+deb8u3
ii apache2-utils 2.4.10-10+deb8u3
ii dpkg 1.17.25
ii lsb-base 4.1+Debian13+nmu1
ii mime-support 3.58
ii perl 5.20.2-3+deb8u1
ii procps 2:3.3.9-9
Versions of packages apache2 recommends:
ii ssl-cert 1.0.35
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin is related to:
ii apache2 2.4.10-10+deb8u3
ii apache2-bin 2.4.10-10+deb8u3
-- no debconf information
Reply to: