Apache CVE-2014-0226 update broke mod_status ABI

Bug #1349288 reported by Marti on 2014-07-28
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

On 2014-07-23, Ubuntu released a security update for Apache for the CVE-2014-0226 vulnerability. Most of our systems use unattended-upgrades and installed this update automatically. On 2014-07-27, logrotate did its weekly rotation and issued the "reload" command to Apache. Since the new mod_status.so was no longer ABI-compatible with the running Apache, it died with an "undefined symbol" error. This happened on 4 of our systems.

I guess the majority of Apache users are using logrotate with the default settings, so it's too late to fix anything for them. But for some users, this may still be a ticking time bomb. I hope the people responsible for the patching are made aware of this mistake and will avoid applying security updates with ABI changes in the future.

/var/log/apache2/error.log.1
[Sun Jul 27 06:32:34.453547 2014] [mpm_worker:notice] [pid 1014:tid 139742164682624] AH00297: SIGUSR1 received. Doing graceful restart
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/status.load: Cannot load /usr/lib/apache2/modules/mod_status.so into server: /usr/lib/apache2/modules/mod_status.so: undefined symbol: ap_copy_scoreboard_worker

/var/log/unattended-upgrades/unattended-upgrades.log
2014-07-24 06:46:22,214 INFO Initial blacklisted packages:
2014-07-24 06:46:22,215 INFO Starting unattended upgrades script
2014-07-24 06:46:22,215 INFO Allowed origins are: ['o=Ubuntu,a=trusty-security']
2014-07-24 06:46:30,273 INFO Packages that will be upgraded: apache2 apache2-bin apache2-data apache2-utils
2014-07-24 06:46:30,273 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2014-07-24_06:46:30.273613.log'
2014-07-24 06:46:32,956 INFO All upgrades installed

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apache2 2.4.7-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
Apache2ConfdDirListing: False
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
Date: Mon Jul 28 10:38:22 2014
InstallationDate: Installed on 2011-02-08 (1265 days ago)
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/usr/bin/zsh
SourcePackage: apache2
UpgradeStatus: Upgraded to trusty on 2014-06-16 (41 days ago)

Marti (intgr) wrote :
Marti (intgr) on 2014-07-28
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Marti (intgr) wrote :

Oh I see now why this didn't affect many other users: Ubuntu by default restarts updated services immediately. I am using an /etc/policy-rc.d to prevent restarts of critical services (like apache2) at unpredictable times.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers