| 2015-12-26 08:17:00 |
Hikari Kobayashi |
bug |
|
|
added bug |
| 2016-01-30 05:40:26 |
Hikari Kobayashi |
bug watch added |
|
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2016-01-30 05:40:48 |
Hikari Kobayashi |
description |
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7. |
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2016-03-31 11:49:15 |
Christian Ehrhardt |
tags |
|
regression-release trusty |
|
| 2016-03-31 11:49:21 |
Christian Ehrhardt |
apache2 (Ubuntu): status |
New |
Triaged |
|
| 2016-03-31 11:49:30 |
Christian Ehrhardt |
apache2 (Ubuntu): importance |
Undecided |
High |
|
| 2017-01-23 22:40:04 |
Joshua Powers |
bug |
|
|
added subscriber Ubuntu Server Team |
| 2018-05-21 11:39:52 |
farhan saleh robleh |
apache2 (Ubuntu): assignee |
|
farhan saleh robleh (farhn) |
|
| 2018-05-21 11:40:00 |
farhan saleh robleh |
apache2 (Ubuntu): status |
Triaged |
Confirmed |
|
| 2018-05-23 19:52:36 |
Colin Watson |
apache2 (Ubuntu): assignee |
farhan saleh robleh (farhn) |
|
|
| 2018-05-23 19:52:38 |
Colin Watson |
apache2 (Ubuntu): status |
Confirmed |
Triaged |
|
| 2018-11-23 20:09:20 |
Andreas Hasenack |
apache2 (Ubuntu): status |
Triaged |
In Progress |
|
| 2018-11-23 20:09:23 |
Andreas Hasenack |
apache2 (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2018-11-24 16:28:31 |
Andreas Hasenack |
description |
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2018-11-24 16:52:30 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
- /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- and wget fails:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2018-11-24 16:54:00 |
Andreas Hasenack |
description |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
- /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- and wget fails:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
- /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- and wget fails:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2018-11-24 17:12:44 |
Andreas Hasenack |
description |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
- /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- and wget fails:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
# /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
# same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
# and wget fails as it should:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
[Other Info]
Not at this time.
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2018-11-24 18:18:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/359387 |
|
| 2018-11-26 07:39:26 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Trusty |
|
| 2018-11-26 07:39:26 |
Christian Ehrhardt |
bug task added |
|
apache2 (Ubuntu Trusty) |
|
| 2018-11-26 07:39:33 |
Christian Ehrhardt |
apache2 (Ubuntu Trusty): status |
New |
In Progress |
|
| 2018-11-26 07:39:39 |
Christian Ehrhardt |
apache2 (Ubuntu Trusty): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2018-11-26 07:39:41 |
Christian Ehrhardt |
apache2 (Ubuntu): assignee |
Andreas Hasenack (ahasenack) |
|
|
| 2018-11-26 07:39:44 |
Christian Ehrhardt |
apache2 (Ubuntu): status |
In Progress |
Fix Released |
|
| 2018-11-26 12:01:13 |
Andreas Hasenack |
description |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
# /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
# same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
# and wget fails as it should:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
[Other Info]
Not at this time.
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:
<Directory "/var/www/html">
<RequireAll>
Require not blacklisted-ips
Require all granted
</RequireAll>
</Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
# /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
# same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
# and wget fails as it should:
$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
[Regression Potential]
The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
That being said, fixing the incorrect behavior might catch some admins by surprise: they might have been letting pages be accessed that shouldn't have, without realizing it. Or the other way around. After the upgrade, the access rule will be correctly enforced.
[Other Info]
Not at this time.
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870 |
|
| 2018-11-28 00:06:23 |
Brian Murray |
apache2 (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
| 2018-11-28 00:06:25 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2018-11-28 00:06:26 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2018-11-28 00:06:29 |
Brian Murray |
tags |
regression-release trusty |
regression-release trusty verification-needed verification-needed-trusty |
|
| 2019-01-09 12:56:58 |
Andreas Hasenack |
tags |
regression-release trusty verification-needed verification-needed-trusty |
regression-release trusty verification-done-trusty verification-needed |
|
| 2019-01-14 09:00:18 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2019-01-14 09:00:17 |
Launchpad Janitor |
apache2 (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
