Bug#864019: unblock: dacs/1.4.38a-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package dacs. Testing by Jonas Smedegaard revealed that
the apache module is not loadable anymore because it tries to access a
private openssl symbol. We had been patching out that code part in
earlier package versions, but the patch got dropped recently because
it seemed not necessary anymore; unfortunately that was wrong, so this
upload reverts to the code that has been in wheezy and jessie.
We also switch back to libssl1.0 because it seems safer to use the SSL
version that apache2 itself is using.
Sorry for not catching this earlier via automated tests; a basic one
is added now.
Control files: lines which differ (wdiff format)
------------------------------------------------
apache2-dev, [-libssl-dev,-] {+apache2-ssl-dev,+} libexpat1-dev, chrpath,
groff-base, xsltproc, docbook-xsl, [-libxmlsec1-dev,-] libpam0g-dev
diff -Nru dacs-1.4.38a/debian/changelog dacs-1.4.38a/debian/changelog
--- dacs-1.4.38a/debian/changelog 2017-01-12 16:22:08.000000000 +0100
+++ dacs-1.4.38a/debian/changelog 2017-05-28 20:42:21.000000000 +0200
@@ -1,3 +1,21 @@
+dacs (1.4.38a-2) unstable; urgency=medium
+
+ * Reintroduce debian/patches/ssl_hook_Fixup. Otherwise, the module tries to
+ access the non-public ssl_hook_Fixup() function which is not resolvable
+ anymore in recent openssl versions. Practical history in Debian (the patch
+ had been there since the package was first uploaded in 2012, and even
+ earlier in private packages), and code comments indicate the function call
+ is not necessary, so remove it. Thanks to Jonas Smedegaard for spotting!
+ (Closes: #863395)
+ * Build-Depend on apache2-ssl-dev instead of libssl-dev to match the openssl
+ version apache2 is using.
+ * Add test case using a2enmod/apache2ctl configtest.
+ * Remove Build-Depends on libxmlsec1-dev which was only needed for the
+ already disabled infocard support. (Additionally, libxmlsec1-dev depends
+ on libssl-dev, so it was not co-installable with libssl1.0-dev anyway.)
+
+ -- Christoph Berg <myon@debian.org> Sun, 28 May 2017 20:42:21 +0200
+
dacs (1.4.38a-1) unstable; urgency=medium
* New upstream version.
diff -Nru dacs-1.4.38a/debian/control dacs-1.4.38a/debian/control
--- dacs-1.4.38a/debian/control 2016-11-19 12:36:26.000000000 +0100
+++ dacs-1.4.38a/debian/control 2017-05-28 20:42:21.000000000 +0200
@@ -4,9 +4,9 @@
Maintainer: Christoph Berg <christoph.berg@credativ.de>
Uploaders: Martin Zobel-Helas <zobel@debian.org>
Build-Depends: debhelper (>= 9),
- apache2-dev, libssl-dev, libexpat1-dev, chrpath,
+ apache2-dev, apache2-ssl-dev, libexpat1-dev, chrpath,
libsasl2-dev, libperl-dev, libldap2-dev, autotools-dev,
- groff-base, xsltproc, docbook-xsl, libxmlsec1-dev, libpam0g-dev
+ groff-base, xsltproc, docbook-xsl, libpam0g-dev
Standards-Version: 3.9.8
Homepage: https://dacs.dss.ca/
Vcs-Git: https://alioth.debian.org/anonscm/git/collab-maint/dacs.git
diff -Nru dacs-1.4.38a/debian/patches/series dacs-1.4.38a/debian/patches/series
--- dacs-1.4.38a/debian/patches/series 2016-11-19 12:36:26.000000000 +0100
+++ dacs-1.4.38a/debian/patches/series 2017-05-28 20:42:21.000000000 +0200
@@ -1,3 +1,4 @@
+ssl_hook_Fixup
libtool-shell
shared-library-linkage
reproducible-build
diff -Nru dacs-1.4.38a/debian/patches/ssl_hook_Fixup dacs-1.4.38a/debian/patches/ssl_hook_Fixup
--- dacs-1.4.38a/debian/patches/ssl_hook_Fixup 1970-01-01 01:00:00.000000000 +0100
+++ dacs-1.4.38a/debian/patches/ssl_hook_Fixup 2017-05-28 20:42:21.000000000 +0200
@@ -0,0 +1,22 @@
+--- a/apache/mod_auth_dacs.c
++++ b/apache/mod_auth_dacs.c
+@@ -195,9 +195,6 @@ static int is_apache_2_2_build = 1;
+ /* For getpid() */
+ #include <unistd.h>
+
+-/* In modules/ssl/ssl_engine_kernel.c */
+-extern int ssl_hook_Fixup(request_rec *);
+-
+ #if defined(__DATE__) && defined(__TIME__)
+ static const char module_built[] = __DATE__ " " __TIME__;
+ #else
+@@ -1572,9 +1569,6 @@ exec_dacs_acs(request_rec *r, const char
+ ap_add_common_vars(r);
+ dacs_add_cgi_vars(r); /* -bjb 21-Jan-2015 */
+
+- if (ssl_is_ssl_request(r))
+- ssl_hook_Fixup(r); /* XXX This probably wasn't intended usage */
+-
+ /*
+ * DACS cookies are always removed from the environment before invoking
+ * dacs_acs so that they are not visible and easily copied.
diff -Nru dacs-1.4.38a/debian/tests/a2enmod dacs-1.4.38a/debian/tests/a2enmod
--- dacs-1.4.38a/debian/tests/a2enmod 1970-01-01 01:00:00.000000000 +0100
+++ dacs-1.4.38a/debian/tests/a2enmod 2017-05-28 20:42:21.000000000 +0200
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+a2enmod auth_dacs
+apache2ctl configtest
diff -Nru dacs-1.4.38a/debian/tests/control dacs-1.4.38a/debian/tests/control
--- dacs-1.4.38a/debian/tests/control 1970-01-01 01:00:00.000000000 +0100
+++ dacs-1.4.38a/debian/tests/control 2017-05-28 20:42:21.000000000 +0200
@@ -0,0 +1,3 @@
+Depends: @, apache2
+Tests: a2enmod
+Restrictions: needs-root
unblock dacs/1.4.38a-2
Thanks,
Christoph
Reply to: