Your message dated Tue, 07 Sep 2021 08:37:43 +0000
with message-id <[email protected]>
and subject line Bug#883616: fixed in libapache2-mod-auth-openidc 2.4.9.4-1
has caused the Debian Bug report #883616,
regarding Stable libapache2-mod-auth-openidc segfaults apache in Jessie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
883616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883616
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: libapache2-mod-auth-openidc
version: 1.6.0-1
severity: serious
tags: jessie
The current "stable" version of libapache2-mod-auth-openidc in Jessie
causes Apache to segfault. Installing the version from backports works
with the same config.
Steps to reproduce (this is on a GCP instance):
1. install Debian Jessie w/apache prefork (2.4.10-10+deb8u11)
2. (without any backport repos in sources.list) apt-get install
libapache2-mod-auth-openidc
3. Enable and configure mod-auth-openidc on a vhost
4. stop/start apache
5. attempt to access the website.
The apache error logs will contain something like:
[Tue Dec 05 09:48:45.411044 2017] [core:notice] [pid 2949] AH00052:
child pid 2954 exit signal Segmentation fault (11)
[Tue Dec 05 09:48:48.413427 2017] [core:notice] [pid 2949] AH00052:
child pid 2955 exit signal Segmentation fault (11)
[Tue Dec 05 09:48:49.414599 2017] [core:notice] [pid 2949] AH00052:
child pid 2956 exit signal Segmentation fault (11)
One line per access attempt.
Replacing with version: 2.1.6-1~bpo+1 from Jessie backports (and
installing deps: libhiredis0.10 libcjose0 from stable), and
restarting apache, the website immediately redirects to the auth
provider as expected without segfaulting.
Removing the backported 2.1.6-1 package and re-installing the stable
1.6.0-1 version causes the segfaults to recur, so this is not just a
dep problem with libhiredis0.10/libcjose0
This package should be replaced with the backports one or removed from
main to let backports take precedence.
See Also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868949
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03)
x86_64 GNU/Linux
libc6 2.19-18+deb8u10
-Theral Mackey
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-auth-openidc
Source-Version: 2.4.9.4-1
Done: Moritz Schlarb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <[email protected]> (supplier of updated
libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Sep 2021 09:37:15 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Moritz Schlarb <[email protected]>
Changed-By: Moritz Schlarb <[email protected]>
Closes: 868949 883616 891224 993648
Changes:
libapache2-mod-auth-openidc (2.4.9.4-1) unstable; urgency=medium
.
* New upstream version 2.4.9.4
* Fix "CVE-2021-39191" (Closes: #993648)
* 2.4.9.2 fixed a regression regarding segfault at reload/restart
(Closes: #883616, #891224, #868949)
Checksums-Sha1:
6e0593f90c1dbf43efda8586732980feecfc953e 2528
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
47f8b949552c3d32f019c5cf785c4672dc0f8aae 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
64d79ff511f145f1131fc8e52b9883837773c690 5848
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b6f2b10fdde35bf0e62c1bc4edb326f73bc2800c 7946
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Checksums-Sha256:
757c704a9229eff21b0a3665ea7fabfe6fd7b56501c879552a6d3c67c73b8792 2528
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
142ee7abd49a4c6e2a7233c9124143709e733e8e51896c4a4f4172b0ffbc4741 261544
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
f0e8c3677b08282fffd71e401ae6f622c596676d60515d7c240fd80b5209b2e1 5848
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
2d2c83226d56c80d62009f6a2a656ac3cea08c702846f0f325638eb0f2473db9 7946
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Files:
7fc4a2d6a82b628e718fdc1042cc270f 2528 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1.dsc
21959e96f73545012afec7201f5f46fd 261544 httpd optional
libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
8377c6fdb6f7a7cedbea6b0ddeeec969 5848 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b4ddeb1f703c0289c8cbde81ddb32e02 7946 httpd optional
libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmE3GPYWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926ryc0D/9+bSB19PkraBM/N3ctbS1ns6nM
d1xx6AQfNBcPEzPk1axX2uqqtMG7t4goGn44dtBKe7iMxKxSobffnfuSmiU+j8L4
RCzPMeggRR/W5+DvxDz5Hu6PovZ4yqyLNjL45XQTx4ncAuAhLDl8odkAZpw8b3k/
kGDeBQbCFjQIDJFzCsKOHHNxWPi1ZMv03MISbR4drirfLbhoaSEcbcBDH7f3xT7U
g5qkPoboj24wkDFr6oacbSWsIOj/nttxHSmW41lnw68tKk/AaSvukErkQHJtGEbQ
prdy1quHcIDoGsx/UKLABsaXL955iODoTcL4JcFp/dcLJmnooKLAOuzplU4QFSil
AM5HU7sSNl0rVqOOeX9NptXmTjd9GmWVUu7hBWWN2zrJnyzxzh0uBi/SdJFHV8Zd
sFE+4DCjy2lIquSpWL0e/Mv8ZFOsTJwj4ai5OoOJUSWNFzDcD4HfUCeK5b/Agued
Ea6MMqIPVblzpfVvN3Ca6rTaIHfjtbD7RszN2EMpPpYEFK7UmrkbVNNT2oFZytc4
wydJ/QMOz4bqQa/2Sob95G/rFoPujtucFGKBZAMSkQM4BNjYeubf74ohlaBw7q7u
O+xaySunWtEa5xZaeqjN5hNHXVIEn2RBSDTKQU9/LgEfLxBu1zVnyR1OAN+D/cTz
u1kNKW6RHGcJHytkeg==
=q8c0
-----END PGP SIGNATURE-----
--- End Message ---
