Bug 799557
Summary: | RHEL-6 libcurl fails when using digest auth and have multiple auth options | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Peter Edwards <thatsafunnyname> | ||||
Component: | curl | Assignee: | Kamil Dudka <kdudka> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.2 | CC: | btotty, chorn, fkrska, gnaik, jasonmc, jkurik, johnny, jpittman, jtrowbri, juanino, kdudka, lingsubscribe, maxim, msaxena, nparmar, ovasik, prc, qe-baseos-security, ruben, sgaikwad, srandhaw, vanhoof | ||||
Target Milestone: | rc | Keywords: | Patch, ZStream | ||||
Target Release: | 6.5 | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | curl-7.19.7-39.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-10-22 07:15:28 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 994246, 1096797 | ||||||
Attachments: |
|
Description
Peter Edwards
2012-03-03 00:12:58 UTC
This was the commit that introduced the line above: https://github.com/bagder/curl/commit/4851dafcf164bf2de5bd33c3cf2b786422ed05b6 The mailing list bug report: http://curl.haxx.se/mail/lib-2011-10/0323.html Thanks. Thanks for the bug report and pointer to the upstream fix. Please clarify what you mean by "regression in curl-7.19.7-26.el6_1.2.x86_64". Do you mean that it worked in RHEL-6 before the update? That sounds pretty unlikely to me... Created attachment 567588 [details]
backport of upstream 4851daf
Sorry. It worked on RHEL-5. I didn't test older RH RPM versions on RHEL-6. I will do that now. I tested with: curl-7.19.7-16.el6.x86_64 libcurl-7.19.7-16.el6.x86_64 libcurl-7.19.7-15.el6.x86_64 curl-7.19.7-15.el6.x86_64 libcurl-7.19.7-6.el6.x86_64 curl-7.19.7-6.el6.x86_64 it does not work with any of these, failing in the same manner. It does work on RHEL-5 with: curl-7.15.5-9.el5_7.4 Thanks for the quick response. The bug was present also in Fedora 16. I have submitted an update for it: https://admin.fedoraproject.org/updates/curl-7.21.7-7.fc16 *** Bug 953864 has been marked as a duplicate of this bug. *** We've recently been working on a system upgrade from EL5 to EL6 and encountered this broken behavior with curl for NTLM authentication. I've repackaged the EL6 curl using the patch provided here and it solves are problem as well. Will this bug definitely be fixed in RHEL 6.5? Thank you for confirming the fix, Jason! If you want to increase the chance of having the fix for the issue included in RHEL 6.5, please contact the product support. Bugzilla is only a bug tracking tool and RHEL updates are driven by customer requests. I've opened case #00886699 for this. Thank you Jason McCormick for opening the case. Opened another case (#00949737) to emphasize that this is important for multiple customers. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. I've requested management escalation for this BZ and my case. I also can't find the reference KB article on the support site. (In reply to Jason McCormick from comment #38) > I also can't find the reference KB article on the support site. There is a reference to Knowledge Base above on this page, it points to: https://access.redhat.com/site/solutions/325133 I see that as "Access Denied". The URL says "If this is knowledge content, it may be unpublished or retired." (In reply to Kamil Dudka from comment #39) > https://access.redhat.com/site/solutions/325133 This kbase contains no additional information. It has been published just now, it can atleast help to guide affected users to this bz here. @engineering: could we get a new test build including the patch? Are we ok with handing it out for verification? The new build will then probably be 6.5 based. A new build of test packages has been initiated. Please open a case with the Red Hat Support (i.e. open a case via access.redhat.com ) and hint at this bugzilla, you can then get the packages - to verify the patch works. The following 2 testpackages have been verified by my customer to fix the issue. curl-7.19.7-37.1.el6.x86_64.rpm / libcurl-7.19.7-37.1.el6.x86_64.rpm I don't know if this is related, but on the CentOS Devel mail list, this patch was pointed out as needed to solve an issue for NTLM as well: https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b From this post: http://lists.centos.org/pipermail/centos-devel/2014-October/012111.html (In reply to Johnny Hughes from comment #63) > https://github.com/bagder/curl/commit/63a0bd4270decef04e64fbe497b42f2c9e26c62b The above takes effect only if you explicitly set CURLOPT_FORBID_REUSE. I would not classify the patch as related to this bug. There were dozens of other NTLM fixes in curl between 4851dafc and 63a0bd42. (In reply to Kamil Dudka from comment #64) > (In reply to Johnny Hughes from comment #63) I am the person that post that thread (http://lists.centos.org/pipermail/centos-devel/2014-October/012111.html) to centOS developer mail list. I know that is not the same issue, but that issue (ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth) bothers me more than this. The connection of NTLM authenticated request shouldn't be reuse in libcurl multi interface because it includes authentication context, after reuse with other plain requests to the same server, the context will be messed up and then next request with the same user's NTLM authentication will get 401 always until this connection get closed by HTTP server, and new connection to be established for the NTLM request. But because of this defect, I couldn't set CURLOPT_FORBID_REUSE for NTLM authenticated request (it always failed after retry five times), due to NTLM requires the same connection for at least two continuous requests to finish authentication. This issue normally may not be able reproduce with curl command line because curl doesn't use the multi interface for asynchronous I/O that my appserver did. That is a serious defect, I hope this issue can be patched to redhat 6 and CentOS 6 ASAP! Paul Ling (In reply to Paul Ling from comment #65) > That is a serious defect, I hope this issue can be patched to redhat 6 and > CentOS 6 ASAP! While we appreciate your feedback, such a discussion makes no sense on a bug that is already fixed (and verified to be fixed). Please file a separate bug, or better a customer case, for your issue. |