Bug 1306431

Summary: Fix for CVE-2015-3184 breaks mod_authz_svn so that it doesn't work with mod_auth_kerb
Product: Red Hat Enterprise Linux 7 Reporter: Frank Hirtz <fhirtz>
Component: subversionAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.2CC: ovasik
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subversion-1.7.14-13.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:31:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1298243, 1400961, 1420851, 1465904, 1466370, 1472751    
Attachments:
Description Flags
"ported" patch none

Description Frank Hirtz 2016-02-10 20:57:28 UTC
Created attachment 1122910 [details]
"ported" patch

Description of problem:

URL: http://svn.apache.org/viewvc?rev=1708699&view=rev

The fix for CVE-2015-3184 (Subversion) and CVE-2015-3185 (httpd) broke
the use of 3rd party modules such as mod_auth_kerb and mod_auth_ntlm
when mandatory authn was combined with mod_authz_svn.  The problem
was httpd returned a 401 response without an Authentication header
meaning the client was unable to authenticate.  By returning DECLINED
we allow the authn module to generate a 401 with the correct headers.

Version-Release number of selected component (if applicable):
subversion-1.7.14-10

How reproducible:
Always

Steps to Reproduce:
Set up an SVN repository and HTTP server with Kerberos authentication. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799105 for a sample config reproducer. Without the patch, you would get an unauthorized error. With the patch, you should get authenticated.

Comment 13 errata-xmlrpc 2018-04-10 17:31:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0938