Bug 1306431 - Fix for CVE-2015-3184 breaks mod_authz_svn so that it doesn't work with mod_auth_kerb
Summary: Fix for CVE-2015-3184 breaks mod_authz_svn so that it doesn't work with mod_a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subversion
Version: 7.2
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 1298243 1400961 1420851 1465904 1466370 1472751
TreeView+ depends on / blocked
 
Reported: 2016-02-10 20:57 UTC by Frank Hirtz
Modified: 2018-04-10 17:32 UTC (History)
1 user (show)

Fixed In Version: subversion-1.7.14-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 17:31:32 UTC
Target Upstream Version:

Attachments (Terms of Use)
"ported" patch (1.74 KB, patch)
2016-02-10 20:57 UTC, Frank Hirtz 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0938 0 None None None 2018-04-10 17:32:10 UTC

Description Frank Hirtz 2016-02-10 20:57:28 UTC 
Created attachment 1122910 [details]
"ported" patch

Description of problem:

URL: http://svn.apache.org/viewvc?rev=1708699&view=rev

The fix for CVE-2015-3184 (Subversion) and CVE-2015-3185 (httpd) broke
the use of 3rd party modules such as mod_auth_kerb and mod_auth_ntlm
when mandatory authn was combined with mod_authz_svn.  The problem
was httpd returned a 401 response without an Authentication header
meaning the client was unable to authenticate.  By returning DECLINED
we allow the authn module to generate a 401 with the correct headers.

Version-Release number of selected component (if applicable):
subversion-1.7.14-10

How reproducible:
Always

Steps to Reproduce:
Set up an SVN repository and HTTP server with Kerberos authentication. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799105 for a sample config reproducer. Without the patch, you would get an unauthorized error. With the patch, you should get authenticated.
Comment 13 errata-xmlrpc 2018-04-10 17:31:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0938
Note You need to log in before you can comment on or make changes to this bug.