Package: apache2-bin Version: 2.4.10-10+deb8u3 Severity: important Upgrade of the package "apache2-bin" in stable release (Jessie) from 2.4.10-10 to 2.4.10-10+deb8u3 has broken the joint operation of modules "mod_dav_svn" (libapache2-mod-svn) and "mod_auth_kerb" (libapache2-mod-auth-kerb).
Both modules go on to work fine taken separately. But together they became unusable. The web server now refuses to authenticate any SVN user by kerberos (GSSAPI). Apache does not even try to start SPNEGO mechanism process and does not send the corresponding HTTP header to browser anymore, so authentication fails. In version 2.4.10-10 before upgrade everything was fine. I suppose, the bug is caused by some code changes during DSA-3325-1 security fixing. The sample apache configuration to reproduce: <VirtualHost *:80> ServerName svn.foo.bar ServerAdmin s...@foo.bar DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/004-svn-error.log CustomLog ${APACHE_LOG_DIR}/004-svn-access.log combined AssignUserID svn svn <Location /> AuthType Kerberos AuthName "Please login to proceed" KrbAuthRealms FOO.BAR KrbServiceName HTTP Krb5Keytab /etc/apache2/apache.keytab KrbMethodNegotiate on KrbMethodK5Passwd off KrbLocalUserMapping On Require valid-user DAV svn SVNParentPath /var/lib/svn AuthzSVNAccessFile /etc/apache2/dav_svn.authz </Location> </VirtualHost> The same issue affected Ubuntu users as well: http://askubuntu.com/questions/667890/mod-auth-kerb-apache-2-4-not-authenticating-for-sub-folders -- Package-specific info: -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2-bin depends on: ii libapr1 1.5.1-3 ii libaprutil1 1.5.4-1 ii libaprutil1-dbd-sqlite3 1.5.4-1 ii libaprutil1-ldap 1.5.4-1 ii libc6 2.19-18+deb8u1 ii libldap-2.4-2 2.4.40+dfsg-1+deb8u1 ii liblua5.1-0 5.1.5-7.1 ii libpcre3 2:8.35-3.3 ii libssl1.0.0 1.0.1k-3+deb8u1 ii libxml2 2.9.1+dfsg1-5 ii perl 5.20.2-3+deb8u1 ii zlib1g 1:1.2.8.dfsg-2+b1 apache2-bin recommends no packages. Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2 depends on: ii apache2-data 2.4.10-10+deb8u3 ii apache2-utils 2.4.10-10+deb8u3 ii dpkg 1.17.25 ii lsb-base 4.1+Debian13+nmu1 ii mime-support 3.58 ii perl 5.20.2-3+deb8u1 ii procps 2:3.3.9-9 Versions of packages apache2 recommends: ii ssl-cert 1.0.35 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin is related to: ii apache2 2.4.10-10+deb8u3 ii apache2-bin 2.4.10-10+deb8u3 -- no debconf information