Bug#803353: marked as done (apache2: apache 2.4.17 introduces breaking change to REDIRECT_URL)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 31 Oct 2015 22:34:09 +0000
with message-id <E1Zseiv-0001e9-Js@franck.debian.org>
and subject line Bug#803353: fixed in apache2 2.4.17-2
has caused the Debian Bug report #803353,
regarding apache2: apache 2.4.17 introduces breaking change to REDIRECT_URL
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
803353: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803353
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apache2: apache 2.4.17 introduces breaking change to REDIRECT_URL
• From: Jason Woofenden <jason@jasonwoof.com>
• Date: Wed, 28 Oct 2015 23:04:27 -0400
• Message-id: <[🔎] 20151029030427.GA504@compy.jasonwoof.org>

Package: apache2
Version: 2.4.17-1
Severity: normal

Dear Maintainer,

There appears to have been a mistake upstream.

The following change was proposed on April Fools Day this year:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57785

Despite breaking all kinds of things, this patch somehow made it
into apache 2.4.17.

It changes the REDIRECT_URL variable, which untold numbers of sites
(millions?) rely on.

That page says that REDIRECT_URL was introduced in 2010, but that
is not true. The earliest version of apache source I can find is
from 1996, and it includes the REDIRECT_URL variable:

http://svn.apache.org/viewvc/httpd/httpd/tags/1.3/apache_1_0_0/src/main/util_script.c?revision=76316&view=markup

I understand that sometimes breaking changes need to be made, but
not with little fanfare when only the tertiary version number
changes.

apache 2.5.0 appears to have already fixed this, by making the new
behavior opt-in: 

https://github.com/apache/httpd/blob/42fe5bdacc3395981f717e70c8b03e587bbf865b/CHANGES

And it looks like 2.4.18 will have that fix as well:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201510.mbox/%3C8E4D5EDE-E9F5-4551-BE25-694E4D9B3C1B%40jaguNET.com%3E


I'm not sure what should be done about this, but it breaks almost
every site I've ever made (at least 50), so I thought you all
should at least know about it.


Here are some fun quotes from the upstream bug:

	"This patch appears to break the prexisting PHP behaviour (all
	versions, verified as far back as PHP 5.2)."

	"Here at cPanel we are reverting our 2.4.17 release and are
	going to re-release 2.4.16. Too many issues with
	mod_rewrite/REDIRECT_URL causing a *lot* of applications to
	stop working." 


-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.2.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.17-1
ii  apache2-data   2.4.17-1
ii  apache2-utils  2.4.17-1
ii  dpkg           1.18.3
ii  lsb-base       9.20150917
ii  mime-support   3.59
ii  perl           5.20.2-6
ii  procps         2:3.3.10-4

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.37

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  chromium [www-browser]                           46.0.2490.71-1
ii  elinks [www-browser]                             0.12~pre6-10
ii  iceweasel [www-browser]                          38.3.0esr-1
ii  lynx-cur [www-browser]                           2.8.9dev6-4
ii  w3m [www-browser]                                0.5.3-25

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.2-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.19-22
ii  libldap-2.4-2            2.4.42+dfsg-2
ii  liblua5.1-0              5.1.5-8
ii  libnghttp2-14            1.3.4-2
ii  libpcre3                 2:8.35-7.2
ii  libssl1.0.0              1.0.2d-1
ii  libxml2                  2.9.2+zdfsg1-4
ii  perl                     5.20.2-6
ii  zlib1g                   1:1.2.8.dfsg-2+b1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  chromium [www-browser]                           46.0.2490.71-1
ii  elinks [www-browser]                             0.12~pre6-10
ii  iceweasel [www-browser]                          38.3.0esr-1
ii  lynx-cur [www-browser]                           2.8.9dev6-4
ii  w3m [www-browser]                                0.5.3-25

Versions of packages apache2 is related to:
ii  apache2      2.4.17-1
ii  apache2-bin  2.4.17-1

-- Configuration Files:
/etc/apache2/mods-available/ident.load [Errno 2] No such file or directory: u'/etc/apache2/mods-available/ident.load'
/etc/apache2/ports.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 803353-close@bugs.debian.org
• Subject: Bug#803353: fixed in apache2 2.4.17-2
• From: Stefan Fritsch <sf@debian.org>
• Date: Sat, 31 Oct 2015 22:34:09 +0000
• Message-id: <E1Zseiv-0001e9-Js@franck.debian.org>

Source: apache2
Source-Version: 2.4.17-2

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 803353@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 Oct 2015 23:17:11 +0100
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.17-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 803177 803353
Changes:
 apache2 (2.4.17-2) unstable; urgency=medium
 .
   * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke
     lots of web-apps. Closes: #803353
   * Fix secondary-init-script to not source the main init script with 'set -e'.
     Closes: #803177
   * mod_http2: Write HTTP/2 into THE_REQUEST and the access log.
Checksums-Sha1:
 0a7890e21ff9762ab81645773570a465480c23ff 2633 apache2_2.4.17-2.dsc
 ea7d801fe899a59ed5d1e59ed5289de8b0123cf5 346956 apache2_2.4.17-2.debian.tar.xz
 d6876387420d888de65996f6ee81847844268109 1091698 apache2-bin_2.4.17-2_amd64.deb
 76c82d94abc164865e48ee7af387238bbdff8a7f 162946 apache2-data_2.4.17-2_all.deb
 fb5c926303e7487e8bed5a3f9c62ab68b0fcd8bc 2125504 apache2-dbg_2.4.17-2_amd64.deb
 ad3a2c648b3727e0197b0de4ac5d46f43b254001 293080 apache2-dev_2.4.17-2_amd64.deb
 7a89aed929fb61d8c47c58f82c53171bf223c70d 2764472 apache2-doc_2.4.17-2_all.deb
 2476eabcc112b72fbb4ae2d1941f142010c3fbd1 139616 apache2-suexec-custom_2.4.17-2_amd64.deb
 f67033cd791cf9f185f42fd9e784fbade8d10d8d 138152 apache2-suexec-pristine_2.4.17-2_amd64.deb
 fc1c9ac9cdff96b08b159c5cc1fdf957da17ab0f 203774 apache2-utils_2.4.17-2_amd64.deb
 e5ad66631fd9b31de78280dba155959f73af8e05 208860 apache2_2.4.17-2_amd64.deb
Checksums-Sha256:
 3f10782d27dade68e8b22ce698270852c748b09ae6143377f56e86d49515c4aa 2633 apache2_2.4.17-2.dsc
 05943d90a799ef8ad39fb1be5f0de9c5dbfe571c518d7fc3a0736858926f41d9 346956 apache2_2.4.17-2.debian.tar.xz
 94ad78e3489ee48a5d9d251b1082168e964d600be5f54e58547b13bde86dd5f5 1091698 apache2-bin_2.4.17-2_amd64.deb
 1e9c67eab6dcfa911c7ead8c731eb9b9aacdef61baabffe995e78a1b458e8beb 162946 apache2-data_2.4.17-2_all.deb
 e1861f4cf2a7f8f87c456d250de2d61b2b89a6b0667929bf45ca512d9961aed7 2125504 apache2-dbg_2.4.17-2_amd64.deb
 95509026fbe1f97f3d784a86b3a8230a7fbe9679bc75ba8ca9dd394025b37ec9 293080 apache2-dev_2.4.17-2_amd64.deb
 698dd2e7400aa8fc98a203e6ba3a6a2b92d006c9de3bd096cebd4d1eaebf2f59 2764472 apache2-doc_2.4.17-2_all.deb
 d059d89072da30d8e6c69907b0bbca47c303cf679a775b8e2fdd6195fe10b508 139616 apache2-suexec-custom_2.4.17-2_amd64.deb
 cbdfdca7ad1d0e4d288e48feeb15bdd415c84aa94cb6a3019d3a696d6fbb232d 138152 apache2-suexec-pristine_2.4.17-2_amd64.deb
 753b6b28dd780e6fa884c4d745fa224fd626ba604b6c19541497eeee51ce6d06 203774 apache2-utils_2.4.17-2_amd64.deb
 8a737e5e25cabf08ca852ca0404740ddbf46a0bc54033d1d2c7399203c5bfc2b 208860 apache2_2.4.17-2_amd64.deb
Files:
 76922f4307bfc87a49684e89dba02305 2633 httpd optional apache2_2.4.17-2.dsc
 561e569d4cddfa1db2b856e4d58dab7a 346956 httpd optional apache2_2.4.17-2.debian.tar.xz
 4c0f596feca51755c93254c7d79a9896 1091698 httpd optional apache2-bin_2.4.17-2_amd64.deb
 871d756c1d269d0ae58e68e6ced52c20 162946 httpd optional apache2-data_2.4.17-2_all.deb
 8d841ce9a2eae410724ca86f1b8fc752 2125504 debug extra apache2-dbg_2.4.17-2_amd64.deb
 16c638c78a6582492b5559cd1f0fb3ef 293080 httpd optional apache2-dev_2.4.17-2_amd64.deb
 274a56a33431170399cb24f58efa6468 2764472 doc optional apache2-doc_2.4.17-2_all.deb
 d2582ef5701aac166baab48efef6bbbd 139616 httpd extra apache2-suexec-custom_2.4.17-2_amd64.deb
 45254701b1c10754835dcda52aae7b1c 138152 httpd optional apache2-suexec-pristine_2.4.17-2_amd64.deb
 cd89353099e7ffaab6885ab709fd873a 203774 httpd optional apache2-utils_2.4.17-2_amd64.deb
 c7908ba02fff1ca5abe8cd416f4f7f79 208860 httpd optional apache2_2.4.17-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWNT9KAAoJEMaHXzVBzv3gDoYP/Rw3AyC3sR3IAz+gYOLxe13k
1DgXIwc45pEbzjsoVzcwa2U1sJsrsH9VLNC7eHixcucnpOND+ESb2N+GbwWBJXF5
Cwo0tewHTsM5vhTvzr7rlymOvF0ekRHvtKIm7stoQR2fzgqnxI/qARTkpkHmyahx
RxbrDOg9XISJ3f347AvW4GXxIclPr/v+C5URJdi7fqjhuGfyPpMX+rk2L5SttLgD
VbU7r3Jh4x0wDprwZKRCb8HDtC2X8POIiPsUAn22S1InDB0s0SoTE5VIxtMrXDtw
KxjIsGOhM5vbzwq7vpQ5cDTW3S7BMwwdlqycDwE0CsRFH3CG/YCUIQJVRd0gbWIw
y4GyR1BJACKp7NtV3sFNfBsIR1wz4ur1zpL3ZzME+fmI6riIHSkgWV8OUY40BgWR
qJKio5frvLGAXhJsxLQQe3k2NrwzS/njMmst0XRKGlwOp89ItZizP6Z2asBmxgIr
8wqN0G302PpDYKu7NzHR8NNC82Oc9UtBx3YHnWz8aqSJApLxOiPyUe6zX4+Khfv9
vr0HBZM4eeDXcSCmK4TxlxE/nZ7YRqxKajdKOTKvxvYQDscqb8Iwk6cElaoem+Py
JHB447f+v8OSK/9YHEA92SokPRaCLfZ0iE7EgIjkJ9u94fq4QIifObWMJdqLprkT
Wn4uipmeuQDgpmsmjkgL
=ydc5
-----END PGP SIGNATURE-----

--- End Message ---