Bug#936034: broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#936034: broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch?

Fabien-2

Package: apache2
Version: 2.4.25-3+deb9u8

It seems that since the updated version above, my svn server (through
mod_dav_svn) does not serve contents correctly when using http2:

   sh> curl --http2 --verbose https://scm.cri.ensmp.fr/svn/nlpmake/trunk/makes/setup_pips.sh
   * ALPN, server accepted to use h2
   * Using HTTP2, server supports multi-use
   * Connection state changed (HTTP/2 confirmed)
   * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
   * Using Stream ID: 1 (easy handle 0x5576f7c8a3f0)
   > GET /svn/nlpmake/trunk/makes/setup_pips.sh HTTP/2
   > Host: scm.cri.ensmp.fr
   > User-Agent: curl/7.58.0
   > Accept: */*
   >
   * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
   * Unexpected EOF
   * Connection #0 to host scm.cri.ensmp.fr left intact
   curl: (56) Unexpected EOF

But it works fine with "curl --http1.1 …"

Also, site works well with http1.1 browsers (eg w3m), but is inaccessible
with modern http2 compatible browsers (firefox, chrome), which is
consistent.

After some investigating, I found:

  [Thu Aug 29 11:49:14.974371 2019] [core:notice] [pid 19929:tid 140177116143680] AH00052: child pid 19972 exit signal Segmentation fault (11)

Last time it worked with http2:

  10.2.14.177 - - [26/Aug/2019:23:33:01 +0200] "GET /svn/nlpmake/trunk/makes/setup_pips.sh HTTP/2.0" 200 11361 "-" "curl/7.58.0"

So it is broken since after that date, which I guess is when the server
was updated to the above version. It seems that there was no simulaneous
mod_dav_svn updates, so the issue appeared with apache2 latest update.

Current workaround is to disactivate http2 module.

--
Fabien
Reply | Threaded
Open this post in threaded view
|

Bug#936034: broken http2 in apache2 2.4.25-3+deb9u8 for mod_dav_svn on stretch?

Stefan Fritsch
Sorry for the late response.

This is unfortunately a bug in subversion that is now triggered by the
new http2 module. The fix is here
http://svn.apache.org/viewvc?view=revision&revision=1845204 .

I will have to ask how this can be fixed, by DSA or by stable point release.

Am 29.08.19 um 11:55 schrieb Fabien:

>
> Package: apache2
> Version: 2.4.25-3+deb9u8
>
> It seems that since the updated version above, my svn server (through
> mod_dav_svn) does not serve contents correctly when using http2:
>
>   sh> curl --http2 --verbose
> https://scm.cri.ensmp.fr/svn/nlpmake/trunk/makes/setup_pips.sh
>   * ALPN, server accepted to use h2
>   * Using HTTP2, server supports multi-use
>   * Connection state changed (HTTP/2 confirmed)
>   * Copying HTTP/2 data in stream buffer to connection buffer after
> upgrade: len=0
>   * Using Stream ID: 1 (easy handle 0x5576f7c8a3f0)
>   > GET /svn/nlpmake/trunk/makes/setup_pips.sh HTTP/2
>   > Host: scm.cri.ensmp.fr
>   > User-Agent: curl/7.58.0
>   > Accept: */*
>   >
>   * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
>   * Unexpected EOF
>   * Connection #0 to host scm.cri.ensmp.fr left intact
>   curl: (56) Unexpected EOF
>
> But it works fine with "curl --http1.1 …"
>
> Also, site works well with http1.1 browsers (eg w3m), but is
> inaccessible with modern http2 compatible browsers (firefox, chrome),
> which is consistent.
>
> After some investigating, I found:
>
>  [Thu Aug 29 11:49:14.974371 2019] [core:notice] [pid 19929:tid
> 140177116143680] AH00052: child pid 19972 exit signal Segmentation fault
> (11)
>
> Last time it worked with http2:
>
>  10.2.14.177 - - [26/Aug/2019:23:33:01 +0200] "GET
> /svn/nlpmake/trunk/makes/setup_pips.sh HTTP/2.0" 200 11361 "-"
> "curl/7.58.0"
>
> So it is broken since after that date, which I guess is when the server
> was updated to the above version. It seems that there was no simulaneous
> mod_dav_svn updates, so the issue appeared with apache2 latest update.
>
> Current workaround is to disactivate http2 module.
>

Reply | Threaded
Open this post in threaded view
|

Bug#936034: DSA-4509-1 regression needs to be fixed in subversion

Stefan Fritsch
In reply to this post by Fabien-2
reassign 936034 libapache2-mod-svn
found 936034 1.9.0-1
fixed 1.10.4-1
affects 936034 apache2
thanks

DSA-4509-1 for apache2 caused a regression with libapache2-mod-svn that
needs a fix in subversion. In agreement with the security team, I will
upload a fix for this to security.debian.org

Reply | Threaded
Open this post in threaded view
|

Bug#936034: DSA-4509-1 regression needs to be fixed in subversion

Stefan Fritsch
Attached is the debdiff

subversion_1.9.5-1+deb9u5.debdiff (4K) Download Attachment