[Following a discussion on IRC.]
Upstream httpd uses the Module Magic Number (MMN) to identify the API
provided by the server for loadable modules. The MMN has a major
component that records changes that break the ABI in ways that require
modules to be recompiled, and a minor component for changes that do not
alter the previous ABI. Typically the major component only changes
between major releases, e.g. 2.2 is different from 2.4. The minor
component can change in minor releases, typically when a minor release
introduces a new API: modules that do not use the new API do not need to
be recompiled.
For CVE-2015-3185 httpd introduced ap_some_authn_required and bumped the
minor MMN. Subversion's fix for CVE-2015-3184 requires the new API and
the mod_authz_svn code uses the MMN to determine whether the new API is
available. Subversion will not build without the API, unless configured
with --enable-broken-httpd-auth the use of which produces a module that
does not have the security fix.
A problem occurs when a Linux distribution has a policy of patching old
httpd releases for security fixes rather then updating httpd to a newer
version. Debian have patched their httpd 2.4.10 for CVE-2015-3185 and
provide ap_some_authn_required but have not bumped the MMN because they
do not provide all of API changes in 2.4.16. This means the MMN of
Debian's httpd doesn't really match a released httpd. RedHat have not
yet released a fix to CVE-2015-3185 but if they do then I suspect they
may do something similar.
The net result is that Subversion's use of MMN to detect the new API
doesn't work on some Linux distributions and Subversion fails to build.
A typical autoconf solution would be AC_CHECK_FUNC but that will not
work here because this is a server API not a library API. Writing an
autoconf test would probably involve building an apache module, writing
an apache config file and running apache. That is hard.
Getting autoconf to detect the function prototype with something like
AC_COMPILE_IFELSE is also hard because the compiler behaviour is not
portable.
Writing autoconf code to run grep on the httpd header file might be an
option.
We could add a configure option to use of the new API even when the MMN
has not been updated, the opposite of --enable-broken-httpd-auth.
Or we could leave users to edit the Subversion source code.
--
Philip Martin
WANdisco
Received on 2015-08-11 14:11:39 CEST