apache2 wheezy backport

[Matt Taggart]

Hi apache maintainers,

Could you provide a backport of jessie apache2 to wheezy-backports? I would 
like some of the newer SSL features.

Someone pointed out this HOWTO

  https://tinyurl.com/nl8965g

that is recommending people frankenstein their systems by installing jessie 
libc6 in order to install jessie apache2 on wheezy. I think a backport 
would be a much cleaner way of solving that.

(there may be some additional things in that HOWTO that would be good to 
consider for the apache2 packages, I haven't reviewed it closely to see if 
it's good advice)

If this is just a matter of rebuilding things for wheezy-backports and 
uploading and you'd like me to do that, just let know.

Thanks,

-- 
Matt Taggart
tagg...@debian.org



-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130921204835.5eea3...@taggart.lackof.org

Bug#719791: marked as done (libapr1: Crash in libapr when using svn+ssh URL in svn:externals)

[Debian Bug Tracking System]

Your message dated Sat, 21 Sep 2013 23:33:05 +0200
with message-id <12901409.q6mG4au2WF@k>
and subject line Re: Bug#719791: Problem has gone since new subversion package 
version
has caused the Debian Bug report #719791,
regarding libapr1: Crash in libapr when using svn+ssh URL in svn:externals
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
719791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719791
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapr1
Version: 1.4.8-1
Severity: normal
Tags: upstream

Dear Maintainer,

   * What led up to the situation?

I am using a svn+ssh URL in the svn:externals property to map in a directory 
from another repository:

$ svn pg svn:externals . 
trunk svn+ssh://u...@host.org/svnroot/repos/trunk/

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Now I want to run svn up so the external is checked out

   * What was the outcome of this action?

svn up fails with this message: 

$ LANG=C svn up 
svn: warning: Error handling externals definition for 'trunk':
svn: warning: To better debug SSH connection problems, remove the -q option 
from 'ssh' in the [tunnels] section of your Subversion configuration file.


   * What outcome did you expect instead?

svn up should check out the external repository into directory trunk


   * Things I tried:

I tried also without the user@ in the URL, placing the user information in my 
.ssh/config, same result.

Same behaviour on Ubuntu

Interestingly, on Scientific Linux release 6.2 it works it ~/.ssh/config does 
NOT exist. Otherwise, same error. That's why I suspect the error is upstream.

Using gdb I found that a child process segfaults, in the function 
run_child_cleanups, and this failure seems to be the cause of the message

I installed the package libapr1-dbg to get debugging symbols, then the 
backtrace in gdb looks like this:


$ LANG=C gdb svn
GNU gdb (GDB) 7.6 (Debian 7.6-5)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/svn...(no debugging symbols found)...done.
(gdb) set follow-fork-mode child
(gdb) r up 
Starting program: /usr/bin/svn up
warning: no loadable sections found in added symbol-file system-supplied DSO at 
0x77ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New process 25454]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x77fbc780 (LWP 25454)]
0x in ?? ()
(gdb) bt
#0  0x in ?? ()
#1  0x76ec2eee in run_child_cleanups (cref=0x77fec048) at 
../memory/unix/apr_pools.c:2365
#2  cleanup_pool_for_exec (p=p@entry=0x77fec028) at 
../memory/unix/apr_pools.c:2372
#3  0x76ec2f08 in cleanup_pool_for_exec (p=0x77fec028) at 
../memory/unix/apr_pools.c:2375
#4  0x76ec500c in apr_pool_cleanup_for_exec () at 
../memory/unix/apr_pools.c:2380
#5  0x76ecdb94 in apr_proc_create (new=, 
progname=0x77f4c1e0 "ssh", args=0x77f4c210, env=0x7fffd4c0, 
attr=0x77f4e1c8, pool=0x77f4e028) at ../threadproc/unix/proc.c:425
#6  0x75a0ff45 in ?? () from 
/usr/lib/x86_64-linux-gnu/libsvn_ra_svn-1.so.1
#7  0x75a12ad1 in ?? () from 
/usr/lib/x86_64-linux-gnu/libsvn_ra_svn-1.so.1
#8  0x77748542 in svn_ra_open3 () from 
/usr/lib/x86_64-linux-gnu/libsvn_ra-1.so.1
#9  0x77bcb084 in svn_client__open_ra_session_internal () from 
/usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1
#10 0x77bcbdda in svn_client__ra_session_from_path () from 
/usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1
#11 0x77bbbd23 in ?? () from 
/usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1
#12 0x77bbc91e in ?? () from 
/usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1
#13 0x770f57d3 in svn_hash_diff () from 
/usr/lib/x86_64-linux-gnu/libsvn_subr-1.so.1
#14 0x77bbcb2d in svn_client__handle_

Bug#661735: Log rotation fails after package update without reboot

[Stefan Fritsch]

Am Sonntag, 8. September 2013, 17:33:38 schrieb Bart Schuurmans:
> The problem seems to be that reloading apache (as is done in
> /etc/logrotate.d/apache2) does not trigger a log file reopen. The
> apache documentation suggests a graceful restart to reopen log
> files[1].

No, that cannot be the reason. /etc/init.d/apache2 reload does a 
graceful restart.


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2649383.9eUVOlQlml@k

Bug#721563: apache2: please update itk to 2.4.x

[Stefan Fritsch]

Am Sonntag, 1. September 2013, 22:42:30 schrieb brian m. carlson:
> Package: apache2
> Version: 2.4.6-3
> Severity: wishlist
> 
> The version of mpm_itk included with the apache2 package doesn't
> support the AssignUserIDExpr, LimitUIDRange, or LimitGIDRange
> options.  I would like to use this functionality to implement sane
> git uploads over HTTP. Is it possible that you could update the itk
> MPM to something from the ITK 2.4.x series, now that Apache 2.4 is
> in unstable?

Newer ITK versions are no longer an MPM but normal modules that use 
the prefork MPM. This requires some packaging work and proper handling 
during upgrades, which we haven't had time to do, yet. So this will 
take some time.


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2634279.CAvGSWWgpd@k

Processed: tagging 723196

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> tags 723196 + pending
Bug #723196 [apache2] apache2: Typo in conf-available/serve-cgi-bin.conf
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
723196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723196
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.13797995933414.transcr...@bugs.debian.org

Re: mod_status feature

[Stefan Fritsch]

Am Freitag, 20. September 2013, 14:16:26 schrieb Ricardo Cropalato:
> Hi,
> 
> Sometimes I need to have a quick view of my server status. Usually
> mod_status if good enough. But Sometimes I need to be able to see
> all the URL request and apache2 limit it to 63 chars by default.
> I patched apache2 and it is working to me. The problem with my patch
> is that I need to recompile tons of packages because of dependence
> (php for example).
> Is possible to me request this feature to applied by you
> (debian-apache maintainers)? If Yes, What is the procedure?
> 

No, I am sorry. We don't want to break ABI compatibility with upstream 
Apache.

Cheers,
Stefan


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2172179.p59qRWYRkC@k

Re: apache2 wheezy backport

[Stefan Fritsch]

Hi Matt,

Am Samstag, 21. September 2013, 13:48:35 schrieb Matt Taggart:
> Could you provide a backport of jessie apache2 to wheezy-backports?

That would be a rather large piece of work. It would be incompatible 
with basically all apache modules and web-app packages in wheezy, so 
those would need backporting, too. Considering that there is still 
plenty of work to do in jessie, I don't think a backport will happen 
anytime soon.

> I would like some of the newer SSL features.

If you are only looking for ECC/ECDHE, you could try this patch
http://people.apache.org/~sf/ECC-2.2-v2.diff on the wheezy package. I 
think we may include it in a future wheezy point release, but I would 
like it to be aproved for upstream 2.2.x, first.

> Someone pointed out this HOWTO
> 
>   https://tinyurl.com/nl8965g
> 
> that is recommending people frankenstein their systems by installing
> jessie libc6 in order to install jessie apache2 on wheezy. I think
> a backport would be a much cleaner way of solving that.

Updating to jessie seems like the only sane solution right now.

Cheers,
Stefan


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1933183.ZaSZLq5pCG@k

Re: apache2 wheezy backport

[Patrick Godschalk]

Hi,

> If you are only looking for ECC/ECDHE, you could try this patch
> http://people.apache.org/~sf/ECC-2.2-v2.diff on the wheezy package. I 
> think we may include it in a future wheezy point release, but I would 
> like it to be aproved for upstream 2.2.x, first.
I got pointed to this particular thread. The patchfile you mentioned
seems okay, save for two issues.

First, the patch still has hardcoded 1024-bit DH parameters. While
offering forward secrecy, using 1k DH makes for a weaker key exchange
than using 4096-bit RSA. Personally, I'd actually argue against using
ephemeral DH exchanges with 1024 bit DH params in favour of 4k RSA
exchanges. But I am rather paranoid about this.

More importantly, the patch still uses NID_X9_62_prime256v1 which in
turn uses Dual_EC_DRBG as its pseudo-RNG. This is problematic, as there
have long been suspicions about this PRNG being not so random which have
recently surfaced again:

  

More importantly, the NIST now actively discourages use of Dual_EC_DRBG
in 800-90A:

  

For this reason I'd not only strongly argue in favour of using
NID_secp521r1 for the ECDH exchange - but I'd actually argue against
using ECDHE altogether with curve P256 because of the aforementioned
issue.

A problem with this is that both changes, but especially the increased
DH pool size, also result in increased server load which may not be
desirable. This could be solved by having a configuration directive to
specify a path to a DH params file.

Lastly, I'd like to note that I do not regularly follow this list. I
apologize in advance for any conventions on this mailing list I haven't
followed.

-- 
Patrick Godschalk
arg...@argure.nl
GPG: 
This e-mail falls under the CC0 1.0 Universal Public Domain Dedication.




-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1379807185.20367.18.ca...@alderaan.argure.nl