Red Hat Bugzilla – Bug 1306431
Fix for CVE-2015-3184 breaks mod_authz_svn so that it doesn't work with mod_auth_kerb
Last modified: 2017-10-24 12:17:02 EDT
Created attachment 1122910 [details]
Description of problem:
The fix for CVE-2015-3184 (Subversion) and CVE-2015-3185 (httpd) broke
the use of 3rd party modules such as mod_auth_kerb and mod_auth_ntlm
when mandatory authn was combined with mod_authz_svn. The problem
was httpd returned a 401 response without an Authentication header
meaning the client was unable to authenticate. By returning DECLINED
we allow the authn module to generate a 401 with the correct headers.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Set up an SVN repository and HTTP server with Kerberos authentication. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799105 for a sample config reproducer. Without the patch, you would get an unauthorized error. With the patch, you should get authenticated.