package: libapache2-mod-auth-openidc version: 1.6.0-1 severity: serious tags: jessie
The current "stable" version of libapache2-mod-auth-openidc in Jessie causes Apache to segfault. Installing the version from backports works with the same config. Steps to reproduce (this is on a GCP instance): 1. install Debian Jessie w/apache prefork (2.4.10-10+deb8u11) 2. (without any backport repos in sources.list) apt-get install libapache2-mod-auth-openidc 3. Enable and configure mod-auth-openidc on a vhost 4. stop/start apache 5. attempt to access the website. The apache error logs will contain something like: [Tue Dec 05 09:48:45.411044 2017] [core:notice] [pid 2949] AH00052: child pid 2954 exit signal Segmentation fault (11) [Tue Dec 05 09:48:48.413427 2017] [core:notice] [pid 2949] AH00052: child pid 2955 exit signal Segmentation fault (11) [Tue Dec 05 09:48:49.414599 2017] [core:notice] [pid 2949] AH00052: child pid 2956 exit signal Segmentation fault (11) One line per access attempt. Replacing with version: 2.1.6-1~bpo+1 from Jessie backports (and installing deps: libhiredis0.10 libcjose0 from stable), and restarting apache, the website immediately redirects to the auth provider as expected without segfaulting. Removing the backported 2.1.6-1 package and re-installing the stable 1.6.0-1 version causes the segfaults to recur, so this is not just a dep problem with libhiredis0.10/libcjose0 This package should be replaced with the backports one or removed from main to let backports take precedence. See Also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868949 Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux libc6 2.19-18+deb8u10 -Theral Mackey
