Bug 1267614

Summary: 1.8.14 breaks authentication
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: subversionAssignee: Joe Orton <jorton>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: h.reindl, jorton, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:04:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2015-09-30 14:08:41 UTC 
1.8.14 breaks for years now working setups 

i realized the "move svnauthz to -tools" and installed "subversion-tools" followed by a hard restart of httpd, no change, downgrade and all is working fine again - sorry but not acceptable for a minor update
____________________________________________________

1.8.14:

[Wed Sep 30 15:44:48.133571 2015] [authz_svn:error] [pid 24348] [client 10.0.0.99:50460] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:46:14.068687 2015] [authz_svn:error] [pid 5177] [client 10.0.0.99:50462] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:52:52.755016 2015] [authz_svn:error] [pid 5175] [client 10.0.0.99:50494] Access denied: - OPTIONS :/contentlounge/modules/dns
[Wed Sep 30 15:54:13.702543 2015] [authz_svn:error] [pid 24351] [client 10.0.0.99:50510] Access denied: - OPTIONS :/contentlounge/modules/dns

[harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss"
svn: E175013: Übertragen schlug fehl (Details folgen):
svn: E175013: Unable to connect to a repository at URL 'http://svn/contentlounge/modules/dns'
svn: E175013: Zugriff auf »/contentlounge/modules/dns« verboten
____________________________________________________

Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64
Sep 30 16:03:08 INFO Downgraded: subversion-libs-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-kde-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: subversion-tools-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Downgraded: mod_dav_svn-1.8.13-7.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-tools-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-kde-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: mod_dav_svn-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64
Sep 30 16:03:09 INFO Erased: subversion-libs-1.8.14-1.fc22.x86_64

[harry@rh:~]$ svn-commit.sh "Panel: Rename-Option fuer A-Records implementiert nachdem ich die jetzt schon viel zu oft brauche und immer in der Datenbank direkt rumschreiben muss"
Sende              modules/dns/gui.php
Sende              modules/dns/library.php
Übertrage Daten ..
Revision 3939 übertragen
____________________________________________________
Comment 1 Joe Orton 2015-10-02 18:09:39 UTC 
What's the auth config?
Comment 2 Joe Orton 2015-10-02 18:14:35 UTC 
I don't get the comment about svnauthz: that happened in 1.8.13-7, which has been in f22 stable for a few months.  Was your config broken with that package too?
Comment 3 Harald Reindl 2015-10-02 18:19:31 UTC 
Please read my report again - first the broken version is mentioned in the subject, then you see apache logs with the error messages and under a spacer line the downgrade log followed by the successful commit
Comment 4 Harald Reindl 2015-10-02 18:23:30 UTC 
I am currently not on my computer and need to seek the config because i configured subversion once in my life in 2007 without any changes and honestly even don't remember hiw - followed a how-to 

mod_dav_svn and running with httpd at least i can say for now
Comment 5 Harald Reindl 2015-10-03 01:49:25 UTC 
 <VirtualHost *:443>
  ServerName             "svn.test.rh"
  Options                +Indexes +Multiviews -FollowSymLinks
  SSLCertificateFile     "conf/ssl/rhsoft.net.pem"
  SSLEngine              On
  KeepAlive              On
  SSLUseStapling         Off
  <Location />
   AllowMethods          OPTIONS PROPFIND GET POST HEAD REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE
   Require               ip 127.0.0.1
   Require               ip 10.0.0.0/24
   Require               ip 192.168.1.0/24
   DAV                   svn
   SVNPath               "/svn/updateservice/subversion"
   SVNListParentPath     On
   AuthType              Basic
   AuthName              "Versionsverwaltung"
   AuthUserFile          "/etc/httpd/conf/svn_passwd"
   AuthzSVNAccessFile    "/etc/httpd/conf/svn_access"
   Require               valid-user
   <IfModule mod_security2.c>
    SecRuleEngine        Off
   </IfModule>
  </Location>
  <IfModule mod_headers.c>
   Header always set "Strict-Transport-Security" "max-age=31536000"
  </IfModule>
 </VirtualHost>
</IfModule>
Comment 6 Harald Reindl 2015-10-15 11:39:41 UTC 
obviously it's a change in 1.8.14 with the dumb default of "AuthzSVNAnonymous On", after add "AuthzSVNAnonymous Off" inside the <Location>-directive it works again

likely one of that changes without change the "AuthzSVNAnonymous"
default proper which sould not be enabled at all without saying so

 * mod_authz_svn: do not leak information in mixed anonymous/authenticated
   httpd (dav) configurations (CVE-2015-3184)
 * do not leak paths that were hidden by path-based authz (CVE-2015-3187)
Comment 7 Joe Orton 2015-10-16 12:40:49 UTC 
Interesting, thanks.  I'm confused by this, I couldn't reproduce it, though there's a report upstream of similar issues with 1.8.14 and mod_auth_kerb where the 401 is not getting triggered.

You don't have have a "Satisfy" present anywhere else in the configuration by any chance?
Comment 8 Harald Reindl 2015-10-16 12:45:59 UTC 
no, while i think "Satisfy" is a httpd 2.2 thing and not supported in 2.4 there maybe <Directory> settings overlaying the vhost somehow (complex setup) but it's a unexpected regression anyways for a minor update - however solved with "AuthzSVNAnonymous Off"

[root@srv-rhsoft:/etc/httpd/conf]$ cat *.conf | grep -i Satisfy
[root@srv-rhsoft:/etc/httpd/conf]$ cd sites_enabled/
[root@srv-rhsoft:/etc/httpd/conf/sites_enabled]$ cat *.conf | grep -i Satisfy
Comment 9 Fedora End Of Life 2016-07-19 18:04:05 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.