Bug 1267614
Summary: | 1.8.14 breaks authentication | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
Component: | subversion | Assignee: | Joe Orton <jorton> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | h.reindl, jorton, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 18:04:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Harald Reindl
2015-09-30 14:08:41 UTC
What's the auth config? I don't get the comment about svnauthz: that happened in 1.8.13-7, which has been in f22 stable for a few months. Was your config broken with that package too? Please read my report again - first the broken version is mentioned in the subject, then you see apache logs with the error messages and under a spacer line the downgrade log followed by the successful commit I am currently not on my computer and need to seek the config because i configured subversion once in my life in 2007 without any changes and honestly even don't remember hiw - followed a how-to mod_dav_svn and running with httpd at least i can say for now <VirtualHost *:443> ServerName "svn.test.rh" Options +Indexes +Multiviews -FollowSymLinks SSLCertificateFile "conf/ssl/rhsoft.net.pem" SSLEngine On KeepAlive On SSLUseStapling Off <Location /> AllowMethods OPTIONS PROPFIND GET POST HEAD REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE Require ip 127.0.0.1 Require ip 10.0.0.0/24 Require ip 192.168.1.0/24 DAV svn SVNPath "/svn/updateservice/subversion" SVNListParentPath On AuthType Basic AuthName "Versionsverwaltung" AuthUserFile "/etc/httpd/conf/svn_passwd" AuthzSVNAccessFile "/etc/httpd/conf/svn_access" Require valid-user <IfModule mod_security2.c> SecRuleEngine Off </IfModule> </Location> <IfModule mod_headers.c> Header always set "Strict-Transport-Security" "max-age=31536000" </IfModule> </VirtualHost> </IfModule> obviously it's a change in 1.8.14 with the dumb default of "AuthzSVNAnonymous On", after add "AuthzSVNAnonymous Off" inside the <Location>-directive it works again likely one of that changes without change the "AuthzSVNAnonymous" default proper which sould not be enabled at all without saying so * mod_authz_svn: do not leak information in mixed anonymous/authenticated httpd (dav) configurations (CVE-2015-3184) * do not leak paths that were hidden by path-based authz (CVE-2015-3187) Interesting, thanks. I'm confused by this, I couldn't reproduce it, though there's a report upstream of similar issues with 1.8.14 and mod_auth_kerb where the 401 is not getting triggered. You don't have have a "Satisfy" present anywhere else in the configuration by any chance? no, while i think "Satisfy" is a httpd 2.2 thing and not supported in 2.4 there maybe <Directory> settings overlaying the vhost somehow (complex setup) but it's a unexpected regression anyways for a minor update - however solved with "AuthzSVNAnonymous Off" [root@srv-rhsoft:/etc/httpd/conf]$ cat *.conf | grep -i Satisfy [root@srv-rhsoft:/etc/httpd/conf]$ cd sites_enabled/ [root@srv-rhsoft:/etc/httpd/conf/sites_enabled]$ cat *.conf | grep -i Satisfy Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |