Package: libkrb5-3 Version: 1.18.2-1 Severity: serious Justification: Policy 8.6.2
Hi, libkrb5-3 version 1.18.2-1 breaks apache2 when the kerberos authentication module is enabled. The error message is: apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/auth_kerb.load: Cannot load /usr/lib/apache2/modules/mod_auth_kerb.so into server: /usr/lib/apache2/modules/mod_auth_kerb.so: undefined symbol: krb5_rc_resolve_full, version krb5_3_MIT The error is gone when libkrb5-3 (along with dependencies) is downgraded to 1.17-10. Listing symbols with nm confirms the missing symbol. 1.17-10: $ nm -D /usr/lib/x86_64-linux-gnu/libkrb5.so.3 | grep krb5_rc_resolve_full 000000000006a410 T krb5_rc_resolve_full@@krb5_3_MIT $ 1.18.2-1: $ nm -D /usr/lib/x86_64-linux-gnu/libkrb5.so.3 | grep krb5_rc_resolve_full $ I think this is the reason for the failing CI runs on ppc64el for squid¹ and bind9². The other architecture strangely don't fail -- probably because the test sets are different -- there is no 'apache2' in the passing logs. ¹ https://ci.debian.net/data/autopkgtest/testing/ppc64el/s/squid/8297228/log.gz ² https://ci.debian.net/data/autopkgtest/testing/ppc64el/b/bind9/8297196/log.gz Removing a symbol deserves a soname bump, per Policy 8.6.2, thus the severity. Looking at 88f4594e6a34c7b88bcd06ab06be2738113c226b in the packaging repository I see a lot of removed symbols. krb5_rc_resolve_full disappears upstream with dcb853ac32779b173f39e19c0f24b0087de85771. I assume dependencies like libapache2-mod-auth-kerb will need to adapt to the changes. Cheers, Damyan
