- Package:
- libapache2-mod-auth-openidc
- Source:
- libapache2-mod-auth-openidc
- Description:
- OpenID Connect Relying Party implementation for Apache
- Submitter:
- Enrico Zini
- Date:
- 2022-04-17 11:36:10 UTC
- Severity:
- serious
- Tags:
Hello, this has just been witnessed on diabelli.debian.org: apt install libapache2-mod-auth-openidc a2enmod auth_openidc systemctl restart apache2 at this point, just visiting sso.debian.org causes an internal server error, with segfaults in the error log: [Fri Feb 23 14:22:56.038768 2018] [core:notice] [pid 19113:tid 140156425577664] AH00052: child pid 19116 exit signal Segmentation fault (11) Enrico
Hi Enrico, Am 23.02.2018 um 15:25 schrieb Enrico Zini: Do you happen to have mod_php enabled? We have seen problems together with mod_php which is falsely linked with openssl 1.1 while apache itself and all other modules are linked with openssl 1.0 which was the policy for stretch release. Then it depends on the load order of the modules if apache crashes or not. Can you verify this? Christoph
mod_php is not enabled, but it could be that some other module is
enabled that has the same issue with openssl.
$ ls /etc/apache2/mods-enabled/
access_compat.load authn_file.load authz_user.load deflate.conf filter.load ldap.load mpm_worker.load reqtimeout.load ssl.load
alias.conf authnz_ldap.load autoindex.conf deflate.load headers.load macro.load negotiation.conf setenvif.conf status.conf
alias.load authz_core.load autoindex.load dir.conf info.conf mime.conf negotiation.load setenvif.load status.load
auth_basic.load authz_groupfile.load cgid.conf dir.load info.load mime.load perl.load socache_shmcb.load wsgi.conf
authn_core.load authz_host.load cgid.load env.load ldap.conf mpm_worker.conf reqtimeout.conf ssl.conf wsgi.load
I ran:
for mod in $(ls /etc/apache2/mods-enabled/*.load); do SO=$(sed -nre 's/.+ ([^ ]+.so)$/\1/p' $mod); echo $SO; ldd $SO; done
And found this:
/usr/lib/apache2/modules/mod_ssl.so
linux-vdso.so.1 (0x00007ffdd7be9000)
libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007ff3b6ead000)
libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007ff3b6a49000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff3b682c000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff3b648d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff3b6289000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff3b734f000)
Could it be relevant?
Enrico
Hi Enrico, we know of a bunch of installations where libapache2-mod-auth-openidc is working without a problem in jessie and stretch. So it must be something special with your setup. From your ldd analysis it does not show a problem with libssl versions. But do you have both libssl-1.1 and libssl-1.0 installed? If yes, which packages depend on them? Can you provide a stack-trace? Christoph
Hello, I'm suffering the same problem. In my case I can confirm that mod_php (libapache2-mod-php7.0) is in use and is linked against openssl 1.1: /usr/lib/apache2/modules/libphp7.0.so linux-vdso.so.1 (0x00007fff74595000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fcfaf8dd000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fcfaf6c6000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fcfaf4ac000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fcfaf239000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fcfaf031000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fcfaed2d000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcfaeb29000) libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007fcfae911000) libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fcfae556000) libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fcfae2ea000) libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fcfade57000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcfadab8000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcfad89b000) /lib64/ld-linux-x86-64.so.2 (0x00007fcfb014c000) libicui18n.so.57 => /usr/lib/x86_64-linux-gnu/libicui18n.so.57 (0x00007fcfad421000) libicuuc.so.57 => /usr/lib/x86_64-linux-gnu/libicuuc.so.57 (0x00007fcfad079000) libicudata.so.57 => /usr/lib/x86_64-linux-gnu/libicudata.so.57 (0x00007fcfab5fc000) liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fcfab3d6000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fcfab054000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fcfaae3d000) Given that, I would really understand the basic problem with that? Even without mod_auth_openidc, I see a mixture of openssl 1.0 & 1.1 which has not been a problem so far - and I can't find evidence that there is a potential problem with that. Do you have any reference that would give more insight on that issue? What would be the solution of the problem? Jörg
Hi Jörg, Am 01.05.2018 um 21:13 schrieb Jörg Delker: in our experience it depends on the order of module loads. If libapache2-mod-php7.0 is the last module loaded which is linked against libssl, it is not a problem. If there is another module, which needs libssl 1.0 after mod_php , the problem surfaces. Please try to find out the order, in which your modules are loaded and check which one is linked agains which version of openssl. Christoph
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <schlarbm@uni-mainz.de> (supplier of updated libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 07 Sep 2021 09:37:15 +0200
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Moritz Schlarb <schlarbm@uni-mainz.de>
Changed-By: Moritz Schlarb <schlarbm@uni-mainz.de>
Closes: 868949 883616 891224 993648
Changes:
libapache2-mod-auth-openidc (2.4.9.4-1) unstable; urgency=medium
.
* New upstream version 2.4.9.4
* Fix "CVE-2021-39191" (Closes: #993648)
* 2.4.9.2 fixed a regression regarding segfault at reload/restart
(Closes: #883616, #891224, #868949)
Checksums-Sha1:
6e0593f90c1dbf43efda8586732980feecfc953e 2528 libapache2-mod-auth-openidc_2.4.9.4-1.dsc
47f8b949552c3d32f019c5cf785c4672dc0f8aae 261544 libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
64d79ff511f145f1131fc8e52b9883837773c690 5848 libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b6f2b10fdde35bf0e62c1bc4edb326f73bc2800c 7946 libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Checksums-Sha256:
757c704a9229eff21b0a3665ea7fabfe6fd7b56501c879552a6d3c67c73b8792 2528 libapache2-mod-auth-openidc_2.4.9.4-1.dsc
142ee7abd49a4c6e2a7233c9124143709e733e8e51896c4a4f4172b0ffbc4741 261544 libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
f0e8c3677b08282fffd71e401ae6f622c596676d60515d7c240fd80b5209b2e1 5848 libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
2d2c83226d56c80d62009f6a2a656ac3cea08c702846f0f325638eb0f2473db9 7946 libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
Files:
7fc4a2d6a82b628e718fdc1042cc270f 2528 httpd optional libapache2-mod-auth-openidc_2.4.9.4-1.dsc
21959e96f73545012afec7201f5f46fd 261544 httpd optional libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
8377c6fdb6f7a7cedbea6b0ddeeec969 5848 httpd optional libapache2-mod-auth-openidc_2.4.9.4-1.debian.tar.xz
b4ddeb1f703c0289c8cbde81ddb32e02 7946 httpd optional libapache2-mod-auth-openidc_2.4.9.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmE3GPYWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926ryc0D/9+bSB19PkraBM/N3ctbS1ns6nM
d1xx6AQfNBcPEzPk1axX2uqqtMG7t4goGn44dtBKe7iMxKxSobffnfuSmiU+j8L4
RCzPMeggRR/W5+DvxDz5Hu6PovZ4yqyLNjL45XQTx4ncAuAhLDl8odkAZpw8b3k/
kGDeBQbCFjQIDJFzCsKOHHNxWPi1ZMv03MISbR4drirfLbhoaSEcbcBDH7f3xT7U
g5qkPoboj24wkDFr6oacbSWsIOj/nttxHSmW41lnw68tKk/AaSvukErkQHJtGEbQ
prdy1quHcIDoGsx/UKLABsaXL955iODoTcL4JcFp/dcLJmnooKLAOuzplU4QFSil
AM5HU7sSNl0rVqOOeX9NptXmTjd9GmWVUu7hBWWN2zrJnyzxzh0uBi/SdJFHV8Zd
sFE+4DCjy2lIquSpWL0e/Mv8ZFOsTJwj4ai5OoOJUSWNFzDcD4HfUCeK5b/Agued
Ea6MMqIPVblzpfVvN3Ca6rTaIHfjtbD7RszN2EMpPpYEFK7UmrkbVNNT2oFZytc4
wydJ/QMOz4bqQa/2Sob95G/rFoPujtucFGKBZAMSkQM4BNjYeubf74ohlaBw7q7u
O+xaySunWtEa5xZaeqjN5hNHXVIEn2RBSDTKQU9/LgEfLxBu1zVnyR1OAN+D/cTz
u1kNKW6RHGcJHytkeg==
=q8c0
-----END PGP SIGNATURE-----
Hello, Bug #891224 in libapache2-mod-auth-openidc reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debian/libapache2-mod-auth-openidc/-/commit/428cdff0557c104ffe804c83cd1ff7dfae7f3f33 ------------------------------------------------------------------------ Update changelog for 2.4.9.4-1 release * New upstream version 2.4.9.4 * Fix "CVE-2021-39191" (Closes: #993648) * 2.4.9.2 fixed a regression regarding segfault at reload/restart (Closes: #883616, #891224, #868949) ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/891224
I'm seeing this in bullseye with a brand new apache install. Every graceful restart (apache2ctl graceful) causes a segfault. I don't have PHP or any other non-fault modules installed. To reproduce: Set up fresh VM; apt install apache2; apt install libapache2-mod-auth-openidc; apache2ctl graceful [Sun Jan 16 23:55:27.742953 2022] [mpm_event:notice] [pid 2412:tid 140640895987008] AH00493: SIGUSR1 received. Doing graceful restart AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.2. Set the 'ServerName' directive globally to suppress this message [Sun Jan 16 23:55:27.759267 2022] [mpm_event:notice] [pid 2412:tid 140640895987008] AH00489: Apache/2.4.52 (Debian) configured -- resuming normal operations [Sun Jan 16 23:55:27.759284 2022] [core:notice] [pid 2412:tid 140640895987008] AH00094: Command line: '/usr/sbin/apache2' [Sun Jan 16 23:55:27.759752 2022] [core:notice] [pid 2412:tid 140640895987008] AH00052: child pid 2480 exit signal Segmentation fault (11) This did not occur in buster. Hamish
Dear Hamish, can you please send us more information on your setup? E.g. the output of: apache2ctl -M and dpkg -l *apache* Thanks, Moritz
Dear Hamish, sorry, I didn't think all the way through what you were writing. Actually, enabling (and probably disabling) modules in Apache2 always requires a restart of the main daemon process - so performing a graceful restart/reload is simply not supported here (you are experiencing the actual reason for that). That's also why I wasn't able to reproduce in the first place - because I restarted Apache after installing the Module out of muscle memory. ;-) Hope that helps, Moritz
It's listed as fixed in the upstream release notes for 2.4.9.2: https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.2 Regards Hamish
Hi Moritz, Even after a full restart (systemctl restart apache2), it still causes a segfault on every "apache2ctl graceful". vagrant up (debian/bullseye64) sudo -i apt update apt install apache2; apt install libapache2-mod-auth-openidc systemctl restart apache2 apache2ctl graceful /var/log/apache2/error says: [Wed Feb 23 09:54:04.187005 2022] [core:notice] [pid 2554:tid 140034803486016] AH00052: child pid 2678 exit signal Segmentation fault (11) following every "apache2ctl graceful". regards Hamish
Oh wow, okay, yes... Sorry. I'm probably just to tired for anything... That issue looks familiar and in my Git Repo for libapache2-mod-auth-openidc I even have a tag called debian/2.4.9.4-1, so I probably already nearly solved this but apparently did not release... Sorry about that! I'll submit this to proposed-updates. Thanks for you patience, Moritz
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-auth-openidc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Schlarb <schlarbm@uni-mainz.de> (supplier of updated libapache2-mod-auth-openidc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 23 Feb 2022 12:16:08 +0100
Source: libapache2-mod-auth-openidc
Architecture: source
Version: 2.4.9.4-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Moritz Schlarb <schlarbm@uni-mainz.de>
Changed-By: Moritz Schlarb <schlarbm@uni-mainz.de>
Closes: 868949 883616 891224 993648
Changes:
libapache2-mod-auth-openidc (2.4.9.4-0+deb11u1) bullseye; urgency=medium
.
* New upstream version 2.4.9.4
* Fix "CVE-2021-39191" (Closes: #993648)
* 2.4.9.2 fixed a regression regarding segfault at reload/restart
(Closes: #883616, #891224, #868949)
Checksums-Sha1:
8d81e40b1d93e46098fe4497d47f2a321ff246bf 2560 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.dsc
47f8b949552c3d32f019c5cf785c4672dc0f8aae 261544 libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
2aed3c856249e7e02915af2c8a759bf72c7e3e4f 5880 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.debian.tar.xz
39627a473a51c9b587f73691f7b9f97de1577587 8217 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1_amd64.buildinfo
Checksums-Sha256:
54e4153dac025b19638f29192d53a719e1ee71f0d05263109a844fae816ed322 2560 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.dsc
142ee7abd49a4c6e2a7233c9124143709e733e8e51896c4a4f4172b0ffbc4741 261544 libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
f4d4e17814bdb972e10c80f9a92c2fe2def93980104df19d10c6d1abfd94315a 5880 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.debian.tar.xz
c674dc6dca99576499744355dbabed0dcef6fd558fad0fb06a8e8bdd2e35b055 8217 libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1_amd64.buildinfo
Files:
c1ed3da3896b3118b2d614c617b1ab07 2560 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.dsc
21959e96f73545012afec7201f5f46fd 261544 httpd optional libapache2-mod-auth-openidc_2.4.9.4.orig.tar.gz
5dc2e2dfe582ef3e6634c20cba55315e 5880 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1.debian.tar.xz
dc6329f5b4cb8c1a827672ef7dcb1703 8217 httpd optional libapache2-mod-auth-openidc_2.4.9.4-0+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJKBAEBCgA0FiEE3wEiR7/GVQGv8oRFDCS4Qcfduq8FAmJFfhkWHHNjaGxhcmJt
QHVuaS1tYWluei5kZQAKCRAMJLhBx926r3ypD/9e+xPHaPj4lOhcVZFAnrGs+68R
4FjtwC4qqPX5UbAS9cxey32WsovzszX72WeeLhi1VNRTwZXNKpbsZBV7EMmHsTeq
vWR+u7K1f1PFqSvMgO3+bIllnoHRLP/RKbeVtI9Vq/+7ztJ3cj5kI19B3wBa09Tp
snr8F4E53GbFgmsphdRkp7fBH4tWpXfOjwzZWnv8Y+15HMc7OWSiqkdB/BKpq3K4
zeGKcKEeXa2tlZqtDrCSnhjK0kLXJuHocfIAxaJYbFSWQASSGk2GVoAWw2UC4PnJ
m+3FzipD/EB2UehxjJN9GLBAguef2aJCh7XDGhPysM9L44RR99hlhwUsWTA0LQYd
xhE3zA+8HrCFY1eP9Tuy6L4C2RXyhEZYw+DiO1HeoyiCFiOAFT2YOv841lan8DIU
lpEUnuXpeHIWfj8JkFe+B4yBeltRJ5HZeV3oqVPIgLDne9549uV0V0npMsSMDrsh
CC4s1RLl67H82W5lx/mzvYK9Cm9+r8ac0Zv4viAtlpfHYho6MPQ7T7mwT/4GZGOO
etvUtBEpDcNVoy+cJg3j9xgsz/iucGLL+xWNvVeNjH42rtliivLrpfNPXdxbTm4J
Jh0dlz0Q35trIdEvUAM9NETmzW9XZAuJoGoWjfCGq0dM35Gyyv79j0aqPCcz2x12
n4PcLsRUiEUY6n5bnw==
=P14n
-----END PGP SIGNATURE-----