Kerberos authentication no longer works following upgrade 1.8.8-1ubuntu3.1 to 1.8.8-1ubuntu3.2

Bug #1487398 reported by Karl Royer on 2015-08-21
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
subversion (Debian)
Fix Released
Unknown
subversion (Ubuntu)
Undecided
Unassigned

Bug Description

We have been using mod-dav-svn for sometime but since update it has failed to authenticate to kerberos.

Rolling back the update has resolved the issue.

Our configuration is as follows:-

<Location /svn>

 Options FollowSymLinks
 AuthType Kerberos
 AuthName "CardBoardFish Subversion Repository"
 Krb5Keytab /etc/apache2/apache.keytab
 KrbMethodNegotiate on
 Require valid-user

  # Uncomment this to enable the repository
  DAV svn

  # Set this to the path to your repository
  #SVNPath /var/lib/svn
  # Alternatively, use SVNParentPath if you have multiple repositories under
  # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
  # You need either SVNPath and SVNParentPath, but not both.
  SVNParentPath /var/lib/svn

  # Access control is done at 3 levels: (1) Apache authentication, via
  # any of several methods. A "Basic Auth" section is commented out
  # below. (2) Apache <Limit> and <LimitExcept>, also commented out
  # below. (3) mod_authz_svn is a svn-specific authorization module
  # which offers fine-grained read/write access control for paths
  # within a repository. (The first two layers are coarse-grained; you
  # can only enable/disable access to an entire repository.) Note that
  # mod_authz_svn is noticeably slower than the other two layers, so if
  # you don't need the fine-grained control, don't configure it.

  # Basic Authentication is repository-wide. It is not secure unless
  # you are using https. See the 'htpasswd' command to create and
  # manage the password file - and the documentation for the
  # 'auth_basic' and 'authn_file' modules, which you will need for this
  # (enable them with 'a2enmod').
  #AuthType Basic
  #AuthName "Subversion Repository"
  #AuthUserFile /etc/apache2/dav_svn.passwd

  # To enable authorization via mod_authz_svn (enable that module separately):
  #<IfModule mod_authz_svn.c>
  #AuthzSVNAccessFile /etc/apache2/dav_svn.authz
  #</IfModule>

  # The following three lines allow anonymous read, but make
  # committers authenticate themselves. It requires the 'authz_user'
  # module (enable it with 'a2enmod').
  #<LimitExcept GET PROPFIND OPTIONS REPORT>
    #Require valid-user
  #</LimitExcept>
 AuthzSVNAccessFile /var/lib/svn/.svnauthz_kerb
</Location>

CVE References

Karl Royer (h-karl) wrote :
Dirk Niederhoefer (elvis-c) wrote :

Same here:

<Location /svn/>
        # Kerberos authentication
        AuthType Kerberos
        KrbAuthRealms BLA.FOOBAR.COM
        Krb5Keytab /etc/apache2/auth/http.keytab
        KrbLocalUserMapping on
        require valid-user

        # Subversion
        DAV svn
        SVNParentPath /var/svn/projects/
        SVNListParentPath on
        AuthzSVNAccessFile /var/svn/authz_svn
        # Disable path-based checks
        SVNPathAuthz off
</Location>

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in subversion (Ubuntu):
status: New → Confirmed
Changed in subversion (Debian):
status: Unknown → New
Changed in subversion (Debian):
status: New → Confirmed
Changed in subversion (Debian):
status: Confirmed → Fix Released
Torbjörn Moa (moa-physto) wrote :

This problem is still there in 1.8.8-1ubuntu3.3.

Torbjorn (moa) wrote :

I finally found the time to take a deeper look at this. Turns out this bug is caused by CVE-2015-3184.patch. The SVN guys figured it out long ago, and fixed it: http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c?r1=1695681&r2=1708699

I attach a modified version of that patch. It cures the bug if applied at the end of the patch chain in 1.8.8-1ubuntu3.3. The package you need to reinstall after rebuilding is libapache2-mod-svn.

Torbjorn (moa) wrote :

The attachment "fix-CVE-2015-3184" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.