Bug#1112254: apache2-bin: LDAP Basic auth working with bullseye but segfault when upgraded to bookworm
Package: apache2-bin
Version: 2.4.65-1~deb11u1
Severity: normal
Dear Maintainers,
During upgrade to bookworm, access to locations requising a basic auth using a local openldap server stop working.
openldap is running on the same host, access is done using ldap://localhost/ without TLS.
Configuration is:
<Directory /a/b/www/restrictedsubdir/>
# Auth LDAP
AuthBasicProvider ldap
AuthType Basic
AuthName "Restricted access"
AuthLDAPURL "ldap://localhost/ou=users,dc=xxx,dc=fr?cn?sub?(objectClass=person)" NONE
AuthLDAPBindDN "cn=webserver,ou=system,dc=xxx,dc=fr"
AuthLDAPBindPassword "xxxx"
Require valid-user
</Directory>
When upgraded, apache report (with LDAPLibraryDebug 7):
ldap_simple_bind
ldap_sasl_bind
[Wed Aug 27 22:03:16.104849 2025] [core:notice] [pid 18603:tid 18603] AH00051: child pid 18624 exit signal
Segmentation fault (11), possible coredump in /tmp
Nothing is traced in the accesslog nor in the LDAP server logs.
ldapsearch is working fine using the same credentials provided using AuthLDAPBindDN / AuthLDAPBindPassword
authentication using simple-ldap-login wordpress plugin (PHP8) is working fine too.
Other access without authentication, or using the file provider are fine.
Backtrace is:
Reading symbols from /usr/sbin/apache2...
(No debugging symbols found in /usr/sbin/apache2)
warning: Can't open file /dev/zero (deleted) during file-backed mapping note processing
[New LWP 18609]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/apache2 -k start'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f675582ab86 in ldap_int_put_controls () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
(gdb) bt
#0 0x00007f675582ab86 in ldap_int_put_controls () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#1 0x00007f675582ff35 in ldap_build_bind_req () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#2 0x00007f67558300f7 in ldap_sasl_bind () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#3 0x00007f6755830cf6 in ldap_simple_bind () from /lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#4 0x00007f6754c8ff25 in ?? () from /usr/lib/apache2/modules/mod_ldap.so
#5 0x00007f6754c90228 in ?? () from /usr/lib/apache2/modules/mod_ldap.so
#6 0x00007f6754c938b7 in ?? () from /usr/lib/apache2/modules/mod_ldap.so
#7 0x00007f675588172b in ?? () from /usr/lib/apache2/modules/mod_authnz_ldap.so
#8 0x00007f675589bab2 in ?? () from /usr/lib/apache2/modules/mod_auth_basic.so
#9 0x000055e48edaa580 in ap_run_check_user_id ()
#10 0x000055e48edad228 in ap_process_request_internal ()
#11 0x000055e48edcf208 in ap_process_async_request ()
#12 0x000055e48edcf45e in ap_process_request ()
#13 0x000055e48edcb224 in ?? ()
#14 0x000055e48edbfd90 in ap_run_process_connection ()
#15 0x00007f6754c7cbbc in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#16 0x00007f6754c7cf26 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#17 0x00007f6754c7cf71 in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#18 0x00007f6754c7d67f in ?? () from /usr/lib/apache2/modules/mod_mpm_prefork.so
#19 0x000055e48ed958e0 in ap_run_mpm ()
#20 0x000055e48ed8d178 in main ()
Bug #578566 does not resolv the issue.
-- Package-specific info:
-- System Information:
Debian Release: 12.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldoldstable-updates'), (500, 'oldoldstable-security'), (500, 'oldoldstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-38-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2-bin depends on:
ii libapr1 1.7.2-3+deb12u1
ii libaprutil1 1.6.3-1
ii libaprutil1-dbd-sqlite3 1.6.3-1
ii libaprutil1-ldap 1.6.3-1
ii libbrotli1 1.0.9-2+b6
ii libc6 2.36-9+deb12u10
ii libcrypt1 1:4.4.33-2
ii libcurl4 7.88.1-10+deb12u12
ii libjansson4 2.14-2
ii libldap-2.4-2 2.4.57+dfsg-3+deb11u1
ii liblua5.3-0 5.3.6-2
ii libnghttp2-14 1.52.0-1+deb12u2
ii libpcre3 2:8.39-15
ii libssl1.1 1.1.1w-0+deb11u3
ii libxml2 2.9.14+dfsg-1.3~deb12u2
ii perl 5.36.0-7+deb12u2
ii zlib1g 1:1.2.13.dfsg-1
apache2-bin recommends no packages.
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii w3m [www-browser] 0.5.3+git20230121-2
Versions of packages apache2 depends on:
ii apache2-data 2.4.65-1~deb11u1
ii apache2-utils 2.4.65-1~deb11u1
ii dpkg 1.21.22
ii init-system-helpers 1.65.2
ii lsb-base 11.6
ii mime-support 3.66
ii perl 5.36.0-7+deb12u2
ii procps 2:4.0.2-3
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages apache2 recommends:
ii ssl-cert 1.1.2
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii w3m [www-browser] 0.5.3+git20230121-2
Versions of packages apache2-bin is related to:
ii apache2 2.4.65-1~deb11u1
ii apache2-bin 2.4.65-1~deb11u1
-- no debconf information
Reply to: