Bug 2187631 - Cannot load modules/mod_auth_mellon.so into server: /lib64/liblasso.so.3: undefined symbol: xmlSecOpenSSLKeyDataDsaGetDsa
Summary: Cannot load modules/mod_auth_mellon.so into server: /lib64/liblasso.so.3: und...
Alias: None
Product: Fedora
Classification: Fedora
Component: xmlsec1
Version: rawhide
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Tomas Halman
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2023-04-18 08:57 UTC by Jan Pazdziora
Modified: 2023-06-27 14:38 UTC (History)
8 users (show)

Fixed In Version: xmlsec1-1.2.37-4.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-06-23 10:24:05 UTC
Type: ---

Attachments (Terms of Use)

Description Jan Pazdziora 2023-04-18 08:57:07 UTC
Merely starting httpd now fail when mod_auth_mellon is installed on the system.

Reproducible: Always

Steps to Reproduce:
1. dnf install -y httpd mod_auth_mellon
2. systemctl start httpd
3. systemctl status httpd

Actual Results:  
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
     Active: failed (Result: exit-code) since Tue 2023-04-18 10:46:34 CEST; 7s ago
       Docs: man:httpd.service(8)
    Process: 1066 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 1066 (code=exited, status=1/FAILURE)
        CPU: 25ms

Apr 18 10:46:34 machine.example.com systemd[1]: Starting httpd.service - The Apache HTTP Server...
Apr 18 10:46:34 machine.example.com httpd[1066]: httpd: Syntax error on line 61 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-auth_mellon.conf: Cannot load modules/mod_auth_mellon.so into server: /lib64/liblasso.so.3: undefined symbol: xmlSecOpenSSLKeyDataDsaGetDsa
Apr 18 10:46:34 machine.example.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 18 10:46:34 machine.example.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 18 10:46:34 machine.example.com systemd[1]: Failed to start httpd.service - The Apache HTTP Server.

Expected Results:  
No error, httpd listening for connections.

This is with

 httpd                     x86_64 2.4.57-1.fc39  beaker-Fedora-Everything  51 k
 mod_auth_mellon           x86_64 0.18.1-3.fc39  beaker-Fedora-Everything 1.3 M
 lasso                     x86_64 2.7.0-9.fc37   beaker-Fedora-Everything 201 k

Comment 2 Jan Pazdziora 2023-04-20 09:16:06 UTC
I assume this might be related to the fact that lasso FTBFS in Fedora 38: bug 2142849.

On Fedora 38 mod_auth_mellon fails with coredump after

  lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)

on Fedora 39 (rawhide) it completely stops Apache HTTP Server from starting.

Comment 6 Jan Pazdziora 2023-05-09 12:08:00 UTC
How hard would it be to actually make the dependent packages in Fedora compliant with the new xmlsec 1.3 API?

If you think it is not realistic, just building the previous version likely with an Epoch bump should work. But beware that some packages might have already adapted to the new version, so for them it would be another incompatible change.

So starting with the list of component that depend on xmlsec1 seems like a needed first step anyway.

Comment 7 Jan Pazdziora 2023-06-12 15:34:12 UTC
Hello, any chance of getting some resolution any time soon?

Comment 9 Fedora Update System 2023-06-23 10:21:32 UTC
FEDORA-2023-5c4fd46363 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5c4fd46363

Comment 10 Fedora Update System 2023-06-23 10:24:05 UTC
FEDORA-2023-5c4fd46363 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Tomas Halman 2023-06-23 11:47:47 UTC
The end of month is coming and I will be off, so I did the revert today to unblock others.

I'm ready to work on that update again once I'm back.


Comment 12 Tomas Halman 2023-06-23 12:37:58 UTC
Here is my copr repo with 1.3 version https://copr.fedorainfracloud.org/coprs/thalman/xmlsec1/


Comment 13 Evgeny Kolesnikov 2023-06-26 23:59:03 UTC
Just a heads-up on what is going to happen to packages that were lucky enough to be built with 1.3.0 at some point: https://github.com/OpenSCAP/openscap/issues/1995.

Comment 14 Jan Pazdziora 2023-06-27 14:38:27 UTC
The revert lead to lasso failures again, reported as bug 2217937.

Note You need to log in before you can comment on or make changes to this bug.