authzprovideralias-defined authz provider can't be used in Ubuntu14
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/
<Directory "/var/www/html">
# create the file /etc/apache2/
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProvider
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
# /var/log/
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
# same for /var/log/
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
# and wget fails as it should:
$ wget localhost
--2018-11-24 16:50:28-- http://
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
That being said, fixing the incorrect behavior might catch some admins by surprise: they might have been letting pages be accessed that shouldn't have, without realizing it. Or the other way around. After the upgrade, the access rule will be correctly enforced.
[Other Info]
Not at this time.
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideral
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideral
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https:/
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 62 lines (+40/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/AuthzProviderAlias-visibility.patch (+32/-0)
debian/patches/series (+1/-0)
Changed in apache2 (Ubuntu): | |
assignee: | nobody → farhan saleh robleh (farhn) |
status: | Triaged → Confirmed |
Changed in apache2 (Ubuntu): | |
assignee: | farhan saleh robleh (farhn) → nobody |
status: | Confirmed → Triaged |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in apache2 (Ubuntu Trusty): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in apache2 (Ubuntu): | |
assignee: | Andreas Hasenack (ahasenack) → nobody |
status: | In Progress → Fix Released |
description: | updated |
Please put in this patch, right now! /bz.apache. org/bugzilla/ show_bug. cgi?id= 56870
https:/