[Following a discussion on IRC.] Upstream httpd uses the Module Magic Number (MMN) to identify the API provided by the server for loadable modules. The MMN has a major component that records changes that break the ABI in ways that require modules to be recompiled, and a minor component for changes that do not alter the previous ABI. Typically the major component only changes between major releases, e.g. 2.2 is different from 2.4. The minor component can change in minor releases, typically when a minor release introduces a new API: modules that do not use the new API do not need to be recompiled.
For CVE-2015-3185 httpd introduced ap_some_authn_required and bumped the minor MMN. Subversion's fix for CVE-2015-3184 requires the new API and the mod_authz_svn code uses the MMN to determine whether the new API is available. Subversion will not build without the API, unless configured with --enable-broken-httpd-auth the use of which produces a module that does not have the security fix. A problem occurs when a Linux distribution has a policy of patching old httpd releases for security fixes rather then updating httpd to a newer version. Debian have patched their httpd 2.4.10 for CVE-2015-3185 and provide ap_some_authn_required but have not bumped the MMN because they do not provide all of API changes in 2.4.16. This means the MMN of Debian's httpd doesn't really match a released httpd. RedHat have not yet released a fix to CVE-2015-3185 but if they do then I suspect they may do something similar. The net result is that Subversion's use of MMN to detect the new API doesn't work on some Linux distributions and Subversion fails to build. A typical autoconf solution would be AC_CHECK_FUNC but that will not work here because this is a server API not a library API. Writing an autoconf test would probably involve building an apache module, writing an apache config file and running apache. That is hard. Getting autoconf to detect the function prototype with something like AC_COMPILE_IFELSE is also hard because the compiler behaviour is not portable. Writing autoconf code to run grep on the httpd header file might be an option. We could add a configure option to use of the new API even when the MMN has not been updated, the opposite of --enable-broken-httpd-auth. Or we could leave users to edit the Subversion source code. -- Philip Martin WANdisco
