Ubuntu
apache2 package

Apache CVE-2014-0226 update broke mod_status ABI

Bug #1349288 reported by Marti
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

On 2014-07-23, Ubuntu released a security update for Apache for the CVE-2014-0226 vulnerability. Most of our systems use unattended-upgrades and installed this update automatically. On 2014-07-27, logrotate did its weekly rotation and issued the "reload" command to Apache. Since the new mod_status.so was no longer ABI-compatible with the running Apache, it died with an "undefined symbol" error. This happened on 4 of our systems.

I guess the majority of Apache users are using logrotate with the default settings, so it's too late to fix anything for them. But for some users, this may still be a ticking time bomb. I hope the people responsible for the patching are made aware of this mistake and will avoid applying security updates with ABI changes in the future.

/var/log/apache2/error.log.1
[Sun Jul 27 06:32:34.453547 2014] [mpm_worker:notice] [pid 1014:tid 139742164682624] AH00297: SIGUSR1 received. Doing graceful restart
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/status.load: Cannot load /usr/lib/apache2/modules/mod_status.so into server: /usr/lib/apache2/modules/mod_status.so: undefined symbol: ap_copy_scoreboard_worker

/var/log/unattended-upgrades/unattended-upgrades.log
2014-07-24 06:46:22,214 INFO Initial blacklisted packages:
2014-07-24 06:46:22,215 INFO Starting unattended upgrades script
2014-07-24 06:46:22,215 INFO Allowed origins are: ['o=Ubuntu,a=trusty-security']
2014-07-24 06:46:30,273 INFO Packages that will be upgraded: apache2 apache2-bin apache2-data apache2-utils
2014-07-24 06:46:30,273 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2014-07-24_06:46:30.273613.log'
2014-07-24 06:46:32,956 INFO All upgrades installed

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apache2 2.4.7-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
Apache2ConfdDirListing: False
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
Date: Mon Jul 28 10:38:22 2014
InstallationDate: Installed on 2011-02-08 (1265 days ago)
InstallationMedia: Ubuntu-Server 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/usr/bin/zsh
SourcePackage: apache2
UpgradeStatus: Upgraded to trusty on 2014-06-16 (41 days ago)

See original description
Revision history for this message
Marti (intgr) wrote :
Marti (intgr)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Marti (intgr) wrote :

Oh I see now why this didn't affect many other users: Ubuntu by default restarts updated services immediately. I am using an /etc/policy-rc.d to prevent restarts of critical services (like apache2) at unpredictable times.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.