This bug has been closed as fixed in 2.4.10-1. However, Utopic 2.4.10-1ubuntu1 which is based on 2.4.10-1 certainly does not include mod_ident in the build. Is this a Debian/Ubuntu difference or was this closed too soon?
On 23 Jul 2014, at 14:03, Debian Bug Tracking System <ow...@bugs.debian.org> wrote: > This is an automatic notification regarding your Bug report > which was filed against the apache2 package: > > #752922: apache2 upgrade wheezy->jessie breaks certain apache2 modules > > It has been closed by Stefan Fritsch <s...@debian.org>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Stefan Fritsch > <s...@debian.org> by > replying to this email. > > > -- > 711925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711925 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > From: Stefan Fritsch <s...@debian.org> > Subject: Bug#711925: fixed in apache2 2.4.10-1 > Date: 23 July 2014 14:00:08 BST > To: 711925-cl...@bugs.debian.org > > > Source: apache2 > Source-Version: 2.4.10-1 > > We believe that the bug you reported is fixed in the latest version of > apache2, which is due to be installed in the Debian FTP archive. > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to 711...@bugs.debian.org, > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing ftpmas...@ftp-master.debian.org) > > > Signed PGP part > Format: 1.8 > Date: Tue, 22 Jul 2014 23:16:20 +0200 > Source: apache2 > Binary: apache2 apache2-data apache2-bin apache2-mpm-worker > apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin > apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils > apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc > apache2-dev apache2-dbg > Architecture: source i386 all > Version: 2.4.10-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> > Changed-By: Stefan Fritsch <s...@debian.org> > Description: > apache2 - Apache HTTP Server > apache2-bin - Apache HTTP Server (binary files and modules) > apache2-data - Apache HTTP Server (common files) > apache2-dbg - Apache debugging symbols > apache2-dev - Apache HTTP Server (development headers) > apache2-doc - Apache HTTP Server (on-site documentation) > apache2-mpm-event - transitional event MPM package for apache2 > apache2-mpm-itk - transitional itk MPM package for apache2 > apache2-mpm-prefork - transitional prefork MPM package for apache2 > apache2-mpm-worker - transitional worker MPM package for apache2 > apache2-suexec - transitional package for apache2-suexec-pristine > apache2-suexec-custom - Apache HTTP Server configurable suexec program for > mod_suexec > apache2-suexec-pristine - Apache HTTP Server standard suexec program for > mod_suexec > apache2-utils - Apache HTTP Server (utility programs for web servers) > apache2.2-bin - Transitional package for apache2-bin > apache2.2-common - Transitional package for apache2 > libapache2-mod-macro - Transitional package for apache2-bin > libapache2-mod-proxy-html - Transitional package for apache2-bin > Closes: 709461 711925 716880 751361 752922 > Changes: > apache2 (2.4.10-1) unstable; urgency=medium > . > [ Arno Töll ] > * New upstream version > + Refresh debian/patches/fhs_compliance.patch > + Security Fixes: > - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash > - CVE-2014-0226 Fix a race condition resulting in a heap overflow in > scoreboard handling > - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the > length and compression ratio of inflated request to mitigate a > possible DoS > - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts > + Fixes SNI with certificate defined in global scope. (Closes: #751361) > * Warn users if they try to disable modules that we consider essential for > operation of the Apache web server (Closes: #709461) > * Drop libcap from our build-dependencies. That was needed for itk which we > gave source out to it's own package again. > * Provide apache2.2-common package to avoid upgrading problems for people > using --purge (apt) or --purge-unused (aptitude) even though that's > clearly discouraged. This caused disappearing of conffiles because we > move > them from apache2.2-common to apache2 during the upgrade. Ugh. This was > not a bug in our packaging, but an unfortunately people blame us > nonetheless even though it's not all our fault. This alternative helps > those people, but at the same time means that incompatible modules aren't > force-removed by dpkg during the upgrade. Hopefully we catch all of them > with the Breaks relation coming along (Closes: #716880, #752922, #711925) > Checksums-Sha1: > 2013cdfc3c9f1f213b3eafbeb491a30dad2e7215 3218 apache2_2.4.10-1.dsc > 00f5c3f8274139bd6160eda2cf514fa9b74549e5 5031834 apache2_2.4.10.orig.tar.bz2 > 06b5ae4315559b288a3bc5000779c69f1e1682e4 438288 apache2_2.4.10-1.debian.tar.xz > 586384adc74d32bc424f19b8fdce9cbd7e754774 1510 > libapache2-mod-proxy-html_2.4.10-1_i386.deb > b8d56e11f355f57bbaff3d7469257c4aabb81401 1492 > libapache2-mod-macro_2.4.10-1_i386.deb > 060ea2b5a60ba16d8db03b3a44a92e6b78defa50 200592 apache2_2.4.10-1_i386.deb > 22d592f15abdff5d7f0ce69f75a7a098815a50c6 162592 apache2-data_2.4.10-1_all.deb > 8cb23df407a5f58aff92e9d37c1e6a0bbc809b1e 1047466 apache2-bin_2.4.10-1_i386.deb > d26d6de3b5252d80c3d8c3f1980ee6f38e7a0f19 1508 > apache2-mpm-worker_2.4.10-1_i386.deb > 4dab37bbf741e26d8eb80600646535a6d523f044 1514 > apache2-mpm-prefork_2.4.10-1_i386.deb > e5937e9a1569226a7a937a4d4a53565e8d764348 1508 > apache2-mpm-event_2.4.10-1_i386.deb > 07d8afe1cfd6fe92aa2ff0ab7022c2cd41164848 1508 > apache2-mpm-itk_2.4.10-1_i386.deb > 58bebda2d27dcd04ce4513ef6ab852f1b6102691 1524 apache2.2-bin_2.4.10-1_i386.deb > 9add3c1895678a28ae051b62e1ce48c604275647 120734 > apache2.2-common_2.4.10-1_i386.deb > 4f5e80b535fbb801315cd8478f90cc1fdda69de2 195186 > apache2-utils_2.4.10-1_i386.deb > 86bf00dce625a7b1ba80adeadc2fb410797caece 1482 apache2-suexec_2.4.10-1_i386.deb > 3aa3c2ad901649fe2a83750791c7ccf6666ecb75 126318 > apache2-suexec-pristine_2.4.10-1_i386.deb > 45c2084157a792481cc6694ddd9ecf1cc34cf44c 127860 > apache2-suexec-custom_2.4.10-1_i386.deb > b587419d8a72cb7ce644a1b7e73324832ac6c3f5 2723100 apache2-doc_2.4.10-1_all.deb > fdd82ccbba39d2860490da7b6853f010d65cb226 277382 apache2-dev_2.4.10-1_i386.deb > 386c848cb21553045db5eae1618bdd30129f304b 1527018 apache2-dbg_2.4.10-1_i386.deb > Checksums-Sha256: > 04485d83cb0440707d078163a544b676dc4df5918638cc30567f8cb19588b560 3218 > apache2_2.4.10-1.dsc > 176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a 5031834 > apache2_2.4.10.orig.tar.bz2 > c054bfe4cb4b72bc0423188b428041272c039a86455d84a55801c0e723c88a3b 438288 > apache2_2.4.10-1.debian.tar.xz > a29fcc788de1c114e3a0d9a4a6d1141209b43aeb07c927c391a6481bc6290c2d 1510 > libapache2-mod-proxy-html_2.4.10-1_i386.deb > 8c90d686a83544769d4bf7fe90cfbfc556cf0fda5bb32dd1cd3ec0502bd53ff2 1492 > libapache2-mod-macro_2.4.10-1_i386.deb > acb17a04a8224b207e965dfada8ca2ba667eec36e43f03daca339a72b3e4bc36 200592 > apache2_2.4.10-1_i386.deb > 1c127e0c2b68e0274ba12b57211024de0391f9fb7f9efc348191ce348ce6c2b8 162592 > apache2-data_2.4.10-1_all.deb > 2f2c1b8523eb9df9cd945256fb79d7e66c794038ab6d466f156b3f4a2efb28fe 1047466 > apache2-bin_2.4.10-1_i386.deb > cd20ccd473be218a037540c2303761c5c18917f508d56287cece82941b7e65c0 1508 > apache2-mpm-worker_2.4.10-1_i386.deb > 1944268644ba9cd95b905eae6c19166c8961591f8777f78a94dfcef786173d38 1514 > apache2-mpm-prefork_2.4.10-1_i386.deb > 8a55f0b844d7da06f64162fa30b6132715b359bc02a6f620dead27544451859f 1508 > apache2-mpm-event_2.4.10-1_i386.deb > 4d1ba650e74603af8be4d05f25a19cf11e878499f9e8b69065e8c60ab437d117 1508 > apache2-mpm-itk_2.4.10-1_i386.deb > a08282a5249e73c965be0b6b140c86bd5696c01ac0473bd833d05908d252b289 1524 > apache2.2-bin_2.4.10-1_i386.deb > 160e82b982d69b7c3f03aa2d2d605456704778dea40336a2131798811f3dc367 120734 > apache2.2-common_2.4.10-1_i386.deb > 6bf38fa77e978f860e1d5295c4433fc86ff422fb88d44f1a751163fc52b95a07 195186 > apache2-utils_2.4.10-1_i386.deb > a497aa62e507c4f3b1eada1184b0ba976b2d2435c980ac51ee6e0a7f6ab25687 1482 > apache2-suexec_2.4.10-1_i386.deb > a8e91f947402c55bb6796e63fc48d7d945fe01924548aee7c6ec312d0b52dd59 126318 > apache2-suexec-pristine_2.4.10-1_i386.deb > 56e2275b0b060bea09793046cb798aee49686256b20d847732c97cd213880b9d 127860 > apache2-suexec-custom_2.4.10-1_i386.deb > ffc33f6c7c09b44aa3ad7ec061798dbc68d1e45f7d8617bbde34f4f907e39e62 2723100 > apache2-doc_2.4.10-1_all.deb > a3f0afedfe52e4b86b4dcbfacb27912e8a608b04e254e4f68ac93c0d61c7d39d 277382 > apache2-dev_2.4.10-1_i386.deb > 48e3b714dc5713d2904d1e950297398aeb3add95ea4887913b078f0f27d3d28d 1527018 > apache2-dbg_2.4.10-1_i386.deb > Files: > ec308851198083b0fae2744f9618dcea 1510 oldlibs extra > libapache2-mod-proxy-html_2.4.10-1_i386.deb > 70506c70c2b772cc4e9e45fdfeac4fd4 1492 oldlibs extra > libapache2-mod-macro_2.4.10-1_i386.deb > 29ebfa68ec50f98ab35172c3f1c58e23 200592 httpd optional > apache2_2.4.10-1_i386.deb > 765cb731f27196675bb6a6a0b676dfe5 162592 httpd optional > apache2-data_2.4.10-1_all.deb > 924ef3cbfb4ea2587d6da241551ecbcc 1047466 httpd optional > apache2-bin_2.4.10-1_i386.deb > 7e0228b66c2a891c08b5edb59e47ca57 1508 oldlibs extra > apache2-mpm-worker_2.4.10-1_i386.deb > f04b2fc544775adf9c7971f990cd5eef 1514 oldlibs extra > apache2-mpm-prefork_2.4.10-1_i386.deb > edd44817eafa977770e6ee801c09735e 1508 oldlibs extra > apache2-mpm-event_2.4.10-1_i386.deb > 47f95a8d1b5c7b25f77165f160b987b7 1508 oldlibs extra > apache2-mpm-itk_2.4.10-1_i386.deb > 9663f2c726462cd3d18db55e0f00f791 1524 oldlibs extra > apache2.2-bin_2.4.10-1_i386.deb > 518bd4a1aea46ed676ee834a687c9fc8 120734 oldlibs extra > apache2.2-common_2.4.10-1_i386.deb > 8de91142a96c19001909cbd2b0dd770e 195186 httpd optional > apache2-utils_2.4.10-1_i386.deb > e811af97e9a84851851ffa32dc1a0956 1482 oldlibs extra > apache2-suexec_2.4.10-1_i386.deb > af03254d02c4bfd6c1e27cac80a68b2c 126318 httpd optional > apache2-suexec-pristine_2.4.10-1_i386.deb > 878c8e2722a72a4d62dae5fadd97722d 127860 httpd extra > apache2-suexec-custom_2.4.10-1_i386.deb > e502d43c348fb4af62a475bf2ac0c68c 2723100 doc optional > apache2-doc_2.4.10-1_all.deb > f648a50a9d417501655ec9fb26298f5a 277382 httpd optional > apache2-dev_2.4.10-1_i386.deb > 786dd3cabdc7b7bdfdf23954f1c0cff0 1527018 debug extra > apache2-dbg_2.4.10-1_i386.deb > 31c37885d7cb41e97b9edb7531c0e3cd 3218 httpd optional apache2_2.4.10-1.dsc > 44543dff14a4ebc1e9e2d86780507156 5031834 httpd optional > apache2_2.4.10.orig.tar.bz2 > 75548a0e0564df47c26c84cc4c92bc60 438288 httpd optional > apache2_2.4.10-1.debian.tar.xz > > > > From: Alex Bligh <a...@alex.org.uk> > Subject: apache2 upgrade wheezy->jessie breaks certain apache2 modules > Date: 27 June 2014 20:35:39 BST > To: Debian Bug Tracking System <sub...@bugs.debian.org> > > > Package: apache2 > Version: 2.4.9-2 > Severity: important > > Dear Maintainer, > > Upgrading from stable (wheezy) to testing (jessie) permanently breaks certain > apache2 modules. > > This bug has also been filed for Ubuntu: > https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1333388 > but the Ubuntu folks suggested this should be fixed upstream so I am filing > the bug report here. This report should be a bit easier to read. > > When stable is upgraded to testing, apache 2.2 is replaced by apache 2.4. > Under apache 2.4, the default set of modules build is different to that under > apache 2.2, and certain modules (e.g. mod_ident, which is the one that bit > me) are not built, and are not included by default in the apache 2.4 package. > Nor are they included in any other package. > > This is in itself a problem, because any systems relying on these modules > will not survive the upgrade. > > Worse, though is what happens after an upgrade. I rebuilt mod_ident as a > separate .deb in the hope it would work and could be contributed back: > > https://github.com/abligh/libapache-mod-ident > > However, this exposes a conffile handling issue which is hard to work around > in any normal manner. > > The issue is as follows. When apache2.2-common is installed, it has a > conffile for the .load file of the relevant module. In this instance: > > root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep > ident > /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f > > When this is upgraded to jessie (using fist-upgrade), the conffile is > (correctly) removed, but the record of the conffile still exists under the > apache2.2-common package. > > During install we see: > Removing apache2.2-common (2.2.22-13+deb7u1) ... > (Reading database ... 14345 files and directories currently installed.) > Preparing to unpack .../apache2_2.4.9-2_amd64.deb ... > Moving obsolete conffile /etc/apache2/mods-available/authz_default.load out > of the way... > Moving obsolete conffile /etc/apache2/mods-available/authn_default.load out > of the way... > Moving obsolete conffile /etc/apache2/mods-available/mem_cache.load out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/mem_cache.conf out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/authn_alias.load out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/cern_meta.load out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/disk_cache.load out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/disk_cache.conf out of > the way... > Moving obsolete conffile /etc/apache2/mods-available/ident.load out of the > way... > Moving obsolete conffile /etc/apache2/mods-available/imagemap.load out of the > way... > Unpacking apache2 (2.4.9-2) over (2.2.22-13+deb7u1) ... > > > but then afterwards: > > root@debiantest:~# dpkg --list | fgrep apache > ii apache2 2.4.9-2 amd64 Apache > HTTP Server > ii apache2-bin 2.4.9-2 amd64 Apache > HTTP Server (binary files and modules) > ii apache2-data 2.4.9-2 all Apache > HTTP Server (common files) > ii apache2-mpm-worker 2.4.9-2 amd64 > transitional worker MPM package for apache2 > ii apache2-utils 2.4.9-2 amd64 Apache > HTTP Server (utility programs for web servers) > ii apache2.2-bin 2.4.9-2 amd64 > Transitional package for apache2-bin > rc apache2.2-common 2.2.22-13+deb7u1 amd64 Apache > HTTP Server common files > root@debiantest:~# dpkg-query -W -f='${Conffiles}' apache2.2-common | fgrep > ident > /etc/apache2/mods-available/ident.load 51ba623a8a2bd71c512f847d02e0934f > > > Now imagine you have another package which depends on mod_ident to work. It > can: > > Depends: apache2, apache2.2-bin | libapache2-mod-ident > > which means it will pull in another libapache2-mod-ident module for apache > 2.4 at the time of the upgrade as apache2.2-bin will be removed. > > However, this then won't install the conffile above as apache2.2-common owns > it. Adding Replaces: Breaks: to the 2.4 module is insufficient as thought > this marks apache2.2's entry for the conffile as obsolete, the .load file > still doesn't get installed. Commit cb55f139c661cd345f1e1234a977f6c17b653bd1 > to the version of mod_ident above works around this in a fairly disgusting > manner, i.e. Replaces: Breaks:, plus copying the file in manually in the > .postinst if it's not already there. > > In summary, the change to 2.4 makes it VERY HARD to safely upgrade from > wheezy to jessie if a program relies upon the relevant modules. I can see why > the auth modules might have been deprecated, but I see no reason why the > ident module should have been. > > I would suggest: > * Produce a apache2-mod-extra package containing the non-default modules > (i.e. build with the 'reallyall' parameter to configure but put these extra > modules in a separate package); > or > * Build the excised modules into separate packages; or > * Reinstate these to the main package > > The problem with the third option is now any users of these will have worked > around the problem by producing their own package, an updated version which > reinstates them will break that package. > > The full list of modules affected is (I think): > authn_alias > authn_default > authz_default > cern_meta > disk_cache > ident > imagemap > mem_cache > version > > > > -- Package-specific info: > > -- System Information: > Debian Release: jessie/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.13.0-29-generic (SMP w/2 CPU cores) > Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) > Shell: /bin/sh linked to /bin/dash > > Versions of packages apache2 depends on: > ii apache2-bin 2.4.9-2 > ii apache2-data 2.4.9-2 > ii lsb-base 4.1+Debian13 > ii mime-support 3.56 > ii perl 5.18.2-4 > ii procps 1:3.3.9-5 > > Versions of packages apache2 recommends: > ii ssl-cert 1.0.34 > > Versions of packages apache2 suggests: > pn apache2-doc <none> > pn apache2-suexec-pristine | apache2-suexec-custom <none> > ii apache2-utils 2.4.9-2 > pn www-browser <none> > > Versions of packages apache2-bin depends on: > ii libapr1 1.5.1-2 > ii libaprutil1 1.5.3-2 > ii libaprutil1-dbd-sqlite3 1.5.3-2 > ii libaprutil1-ldap 1.5.3-2 > ii libc6 2.19-3 > ii libldap-2.4-2 2.4.39-1 > ii liblua5.1-0 5.1.5-5 > ii libpcre3 1:8.31-5 > ii libssl1.0.0 1.0.1h-3 > ii libxml2 2.9.1+dfsg1-3 > ii perl 5.18.2-4 > ii zlib1g 1:1.2.8.dfsg-1 > > Versions of packages apache2-bin suggests: > pn apache2-doc <none> > pn apache2-suexec-pristine | apache2-suexec-custom <none> > pn www-browser <none> > > Versions of packages apache2 is related to: > ii apache2 2.4.9-2 > ii apache2-bin 2.4.9-2 > > -- no debconf information > > -- Alex Bligh
signature.asc
Description: Message signed with OpenPGP using GPGMail
