Kerberos authentication no longer works following upgrade 1.8.8-1ubuntu3.1 to 1.8.8-1ubuntu3.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
subversion (Debian) |
Fix Released
|
Unknown
|
|||
subversion (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
We have been using mod-dav-svn for sometime but since update it has failed to authenticate to kerberos.
Rolling back the update has resolved the issue.
Our configuration is as follows:-
<Location /svn>
Options FollowSymLinks
AuthType Kerberos
AuthName "CardBoardFish Subversion Repository"
Krb5Keytab /etc/apache2/
KrbMethodNegotiate on
Require valid-user
# Uncomment this to enable the repository
DAV svn
# Set this to the path to your repository
#SVNPath /var/lib/svn
# Alternatively, use SVNParentPath if you have multiple repositories under
# under a single directory (/var/lib/
# You need either SVNPath and SVNParentPath, but not both.
SVNParentPath /var/lib/svn
# Access control is done at 3 levels: (1) Apache authentication, via
# any of several methods. A "Basic Auth" section is commented out
# below. (2) Apache <Limit> and <LimitExcept>, also commented out
# below. (3) mod_authz_svn is a svn-specific authorization module
# which offers fine-grained read/write access control for paths
# within a repository. (The first two layers are coarse-grained; you
# can only enable/disable access to an entire repository.) Note that
# mod_authz_svn is noticeably slower than the other two layers, so if
# you don't need the fine-grained control, don't configure it.
# Basic Authentication is repository-wide. It is not secure unless
# you are using https. See the 'htpasswd' command to create and
# manage the password file - and the documentation for the
# 'auth_basic' and 'authn_file' modules, which you will need for this
# (enable them with 'a2enmod').
#AuthType Basic
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/
# To enable authorization via mod_authz_svn (enable that module separately):
#<IfModule mod_authz_svn.c>
#AuthzSVNAcce
#</IfModule>
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# module (enable it with 'a2enmod').
#<LimitExcept GET PROPFIND OPTIONS REPORT>
#Require valid-user
#</LimitExcept>
AuthzSVNAccessFile /var/lib/
</Location>
CVE References
Changed in subversion (Debian): | |
status: | Unknown → New |
Changed in subversion (Debian): | |
status: | New → Confirmed |
Changed in subversion (Debian): | |
status: | Confirmed → Fix Released |
Same here:
<Location /svn/>
KrbAuthRealms BLA.FOOBAR.COM auth/http. keytab
KrbLocalUserMa pping on
# Kerberos authentication
AuthType Kerberos
Krb5Keytab /etc/apache2/
require valid-user
# Subversion
SVNParentPath /var/svn/projects/
SVNListParentP ath on
AuthzSVNAccess File /var/svn/authz_svn
SVNPathAuthz off
DAV svn
# Disable path-based checks
</Location>