Comment 1 for bug 1808379

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

the recent update was only a security fix [1] that seems totally unrelated.

The conf file in your error /etc/apache2/mods-enabled/authz_svn.load is actually from
libapache2-mod-svn out of src:subversion.
All it does is loading /usr/lib/apache2/modules/ and that fails in your case with:
  Cannot load /usr/lib/apache2/modules/ into server:
  /usr/lib/apache2/modules/ undefined symbol: ap_hook_force_authn

First I tried the non-backport versions of
apache2 2.4.7-1ubuntu4.20
libapache2-mod-svn 1.8.8-1ubuntu3.3
They work fine (I ensured with a2enmod authz_svn that it is loaded.

Maybe the backports-apache is not binary compatible with the plugins built for the actual apache2 in the archive?
I upgraded to the version in trusty-backports and can confirm the issue:
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/authz_svn.load: Cannot load /usr/lib/apache2/modules/ into server: /usr/lib/apache2/modules/ undefined symbol: ap_hook_force_authn
Action 'configtest' failed.

Usually the resolution would be to rebuild subversion against the newer apache, but while it might help -backports this would break the "actual" apache in main.

I found that the version in the main archive is fixed or better modified to do all that.
See [2] for that change

Since then the apache2 in main has that new API and deprecated the old inseucre one.
Any later rebuild to subversion will have made it pick up that.
That would have been [4] shortly after.
The apache2 in backports most likely would need that change as well to get backports and main archive matching again.

I can say that the patch would somewhat apply to the version in backports, but have not enugh subject matter expertise to be sure.
$ patch --dry-run -p1 < /tmp/CVE-2015-3185.patch
checking file include/http_request.h
Hunk #2 succeeded at 541 with fuzz 1.
Hunk #3 succeeded at 596 (offset 2 lines).
checking file server/request.c

I'm afraid the apache in trusty-backports is broken (as you reported - thanks for the report BTW), not by the last upload but by a version incompatibility.
There could be more plugins that won't load if they got rebuild and use the new API/ABI.
Due to the nature of the change that mostly will be auth plugins.

Someone would need to prep an upload for that in Backports [4] for that.
Sorry I currently don't have the cycles to do so, but maybe the analysis helps backporters to do it more easily.

For the time being, I installed all other libapache2-mod-auth* and it seems only the subversion plugin is affected for now. So if you don't rely on that, maybe just remove that for now?