Debian Bug report logs -
#682401
dbmmanage: please use Digest::SHA instead of Digest::SHA1
Reported by: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 22 Jul 2012 13:15:02 UTC
Severity: serious
Found in version apache2/2.2.22-9
Fixed in version apache2/2.2.22-10
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#682401; Package apache2-utils.
(Sun, 22 Jul 2012 13:15:04 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: apache2-utils
Version: 2.2.22-9
Severity: normal
dbmmanage uses Digest::SHA1 which was removed from Debian some time
ago[1]. Please use Digest::SHA instead which is part of the core
modules included with the perl interpreter since 5.10.
[1] <http://bugs.debian.org/594273>
In most cases just replacing Digest::SHA1 by Digest::SHA should be
enough. Also change Digest/SHA1.pm to Digest/SHA.pm.
Regards,
Ansgar
PS: The error message in need_sha1_crypt includes a link to Digest-MD5,
but it should refer to Digest-SHA(1) instead.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2-utils depends on:
ii libapr1 1.4.6-3
ii libaprutil1 1.4.1-2+b1
ii libc6 2.13-33
ii libssl1.0.0 1.0.1c-3
apache2-utils recommends no packages.
apache2-utils suggests no packages.
-- no debconf information
Severity set to 'serious' from 'normal'
Request was from Arno Töll <arno@debian.org>
to control@bugs.debian.org.
(Sun, 22 Jul 2012 13:51:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#682401; Package apache2-utils.
(Sun, 22 Jul 2012 13:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Sun, 22 Jul 2012 13:57:05 GMT) (full text, mbox, link).
Message #10 received at 682401@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 682401 serious
thanks
Hi,
Evidently not too many people are using dbmmanage, even less with SHA1
encryption since it is not the default option but nobody noticed so far.
Nonetheless the removal of Digest::SHA1 breaks the application in a
fatal way when SHA-1 encryption is explicitly desired. Thus, I am
raising the bug severity to serious and I will prepare a patch.
Having that said, the root issue is upstream and they probably still
plan to support older Perl versions as well. Thus, simply replacing the
modules used will not suffice, but that does not sound like a big
problem either as a simple Perl version dependent branch will do it.
Stefan, shouldn't apache2-utils recommend the required perl libraries as
well, instead of letting dbmmanage suggest the use of CPAN (e.g. for
SHA1 in the past, or still in use for MD5)?
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#682401; Package apache2-utils.
(Sun, 22 Jul 2012 20:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Sun, 22 Jul 2012 20:51:07 GMT) (full text, mbox, link).
Message #15 received at 682401@bugs.debian.org (full text, mbox, reply):
On Sunday 22 July 2012, Arno Töll wrote:
> Evidently not too many people are using dbmmanage, even less with
> SHA1 encryption since it is not the default option but nobody
> noticed so far. Nonetheless the removal of Digest::SHA1 breaks the
> application in a fatal way when SHA-1 encryption is explicitly
> desired. Thus, I am raising the bug severity to serious and I will
> prepare a patch.
AFAICS, dbmmanage has not seen a single code commit upstream since the
C variant, htdbm, has been introduced in 2001. Maybe we should get rid
of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by
using Digest::SHA instead of Digest::SHA1 is still a good idea.
> Having that said, the root issue is upstream and they probably
> still plan to support older Perl versions as well. Thus, simply
> replacing the modules used will not suffice, but that does not
> sound like a big problem either as a simple Perl version dependent
> branch will do it.
>
> Stefan, shouldn't apache2-utils recommend the required perl
> libraries as well, instead of letting dbmmanage suggest the use of
> CPAN (e.g. for SHA1 in the past, or still in use for MD5)?
Digest::MD5 seems to be part of the "perl" package in wheezy, too. No
recommends needed.
And I wouldn't change dependencies for squeeze unless some user
actually complains. And even then, a suggests may be more appropriate
in the case of Digest::SHA1, because the sha1 password hashing variant
supported in apache is very insecure (no salt).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#682401; Package apache2-utils.
(Sun, 22 Jul 2012 22:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Sun, 22 Jul 2012 22:30:03 GMT) (full text, mbox, link).
Message #20 received at 682401@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On 22.07.2012 22:22, Stefan Fritsch wrote:
> AFAICS, dbmmanage has not seen a single code commit upstream since the
> C variant, htdbm, has been introduced in 2001. Maybe we should get rid
> of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by
> using Digest::SHA instead of Digest::SHA1 is still a good idea.
Wouldn't it make sense to get rid of it upstream as well then? As for me
I'm fine to leave it around in 2.2 and patch it as Ansgar suggested, but
I'd be less careful about the upstream applicability then.
I'll make a patch for 2.2/2.4 tomorrow and get in touch with the release
team afterwards.
> And I wouldn't change dependencies for squeeze unless some user
> actually complains. And even then, a suggests may be more appropriate
> in the case of Digest::SHA1, because the sha1 password hashing variant
> supported in apache is very insecure (no salt).
>
Fine with me.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#682401; Package apache2-utils.
(Mon, 23 Jul 2012 22:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Mon, 23 Jul 2012 22:03:05 GMT) (full text, mbox, link).
Message #25 received at 682401@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 682401 + pending
thanks
Hi,
On 22.07.2012 22:22, Stefan Fritsch wrote:
> AFAICS, dbmmanage has not seen a single code commit upstream since the
> C variant, htdbm, has been introduced in 2001. Maybe we should get rid
> of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by
> using Digest::SHA instead of Digest::SHA1 is still a good idea.
Done both. I committed rab80d43 which I want to get into Testing
(waiting a bit for you to comment before uploading, however) and
r28a921f for 2.4 which drops the tool entirely.
> Digest::MD5 seems to be part of the "perl" package in wheezy, too. No
> recommends needed.
Digest::MD5 is, but dbmmanage uses Crypt::PasswdMD5 which is not
API-compatible to Digest::MD5. That needs (a bit) more work to get it
running in the perl base distribution.
Thus, users of MD5 will get a warning to install the appropriate
modules. I improved the message though, so that the Debian package name
is told.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) pending.
Request was from Arno Töll <arno@debian.org>
to control@bugs.debian.org.
(Mon, 23 Jul 2012 22:03:07 GMT) (full text, mbox, link).
Reply sent
to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(Mon, 30 Jul 2012 20:51:24 GMT) (full text, mbox, link).
Notification sent
to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Jul 2012 20:51:24 GMT) (full text, mbox, link).
Message #32 received at 682401-close@bugs.debian.org (full text, mbox, reply):
Source: apache2
Source-Version: 2.2.22-10
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 682401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 30 Jul 2012 22:23:02 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source i386 all
Version: 2.2.22-10
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-itk - multiuser MPM for Apache 2.2
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-bin - Apache HTTP Server common binary files
apache2.2-common - Apache HTTP Server common files
Closes: 682401 682840 682897
Changes:
apache2 (2.2.22-10) unstable; urgency=low
.
[ Arno Töll ]
* Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
#682401)
* Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
with ext3" by changing the default to more moderate values. Some file
systems have a hard limit for the number of subdirectories in a single
directory. This change requires the cache directory to be purged.
(Closes: #682840)
.
[ Stefan Fritsch ]
* Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
directives. Closes: #682897
Checksums-Sha1:
8f86fec0f8c5fe15f272f825c2b8e21ab0277bc9 2239 apache2_2.2.22-10.dsc
b5c440cd58d7275d2e0fd5f9f12a23168a50e2e3 196047 apache2_2.2.22-10.debian.tar.gz
10fd51208ceccfac42dd8ab861be5c91dbaa1111 319418 apache2.2-common_2.2.22-10_i386.deb
99495fd963d9b3fb87645888979ad88392dbe108 1459948 apache2.2-bin_2.2.22-10_i386.deb
5746bbc8ca2267b0de5e9a65698e12430ea37e9c 2194 apache2-mpm-worker_2.2.22-10_i386.deb
fe96edf116eefa13fbab816b8b3557183e9f34fd 2296 apache2-mpm-prefork_2.2.22-10_i386.deb
fac3ebd2f56a6a2c861e4317974388c981c8fa99 2256 apache2-mpm-event_2.2.22-10_i386.deb
d2dfd4271dcd8b43769175e66499b0089dd59a26 2286 apache2-mpm-itk_2.2.22-10_i386.deb
3e3c90dc846d694e7a2e066ca2699874eb29a2c2 176766 apache2-utils_2.2.22-10_i386.deb
52e513e6827d294b734a3816d9579d629b03c0f3 107038 apache2-suexec_2.2.22-10_i386.deb
f8d4d0bd39bff8754d53c1bbd39d82d96e09c2db 108748 apache2-suexec-custom_2.2.22-10_i386.deb
c5df9a3251d5aed69efc02edf286e88697d8e1cb 1390 apache2_2.2.22-10_i386.deb
3f0032085d9040b6e064336be41963520ab070c4 2704712 apache2-doc_2.2.22-10_all.deb
c820dc26e942d61e83e3e2b530834b4ec43deb2e 137956 apache2-prefork-dev_2.2.22-10_i386.deb
0b84994b1c2ba0775396bc11fef3db7ca5553e96 139122 apache2-threaded-dev_2.2.22-10_i386.deb
bebe18615909b4a9af4ceb4f5f112389a67b9bba 3502666 apache2-dbg_2.2.22-10_i386.deb
Checksums-Sha256:
4999022bc188e58d905c3afe2e085afa36ba7d86a55b40e8c8af904ab7133704 2239 apache2_2.2.22-10.dsc
a49796cd200fea21f62596af58a2e44c33ca77769432f6bde241856f47f42d97 196047 apache2_2.2.22-10.debian.tar.gz
bd0d955001036f1bc2357a2e8aef2a04204c0b5b0ce88a89d460c903d56b177b 319418 apache2.2-common_2.2.22-10_i386.deb
f432f9b5280edcc25758b9b5ada371102fb5c342b21cc9da55f4771e7b5b31eb 1459948 apache2.2-bin_2.2.22-10_i386.deb
fc7fe88c2065e46b6b5bf8a6fc29bdc5030009d68e722c5659136674b4a705e7 2194 apache2-mpm-worker_2.2.22-10_i386.deb
b80c13b109ed492e117261118555af11df59904b4a1f0a17fdeaa16530f0a160 2296 apache2-mpm-prefork_2.2.22-10_i386.deb
a91a9abcbe90b0df122769ae81e2d727a5a3440da668ee2f64c8fd7a65a8ef0b 2256 apache2-mpm-event_2.2.22-10_i386.deb
8c3938a12b89499b4f2e9f544b3f2031c802dff440406f92db1841ddb2f51d17 2286 apache2-mpm-itk_2.2.22-10_i386.deb
7856705c95f7ca75756590dff0cada1697f1dc08dedfc07c1c89bad1174af3d1 176766 apache2-utils_2.2.22-10_i386.deb
6190d04d7563f23a776acf1bd06fa060a747509f7379654a6cbd78752ac6114b 107038 apache2-suexec_2.2.22-10_i386.deb
d99b5768f48c28de3a921971792b79b31abefc0a266417621ece4188176d780d 108748 apache2-suexec-custom_2.2.22-10_i386.deb
0a8fe41b973c78e8d969572bb54379559b45a4d24c9962a6365248653f8c2bde 1390 apache2_2.2.22-10_i386.deb
3e81130e006752b1e9c1a944495ef421fb133d08944382b2030aa0e53bdd6ffd 2704712 apache2-doc_2.2.22-10_all.deb
1172dd14dbbf1e3fa49c0baafd42a25ef9a777f84f8fe0dac7e235fb5558dd7f 137956 apache2-prefork-dev_2.2.22-10_i386.deb
1df452e8c54e3d64070e8dd467e635164e706cacfe7df94062609ed791557c36 139122 apache2-threaded-dev_2.2.22-10_i386.deb
935f11ca761bb0ea513e7526d44cb16d77f78c88304993a8fb3ad738ef8e7a51 3502666 apache2-dbg_2.2.22-10_i386.deb
Files:
64e2184b03360f0d8d37b5be1c44d174 2239 httpd optional apache2_2.2.22-10.dsc
4882b26ad0371240a7498034966822e8 196047 httpd optional apache2_2.2.22-10.debian.tar.gz
a409088cb05f92af20a70517eb2370ae 319418 httpd optional apache2.2-common_2.2.22-10_i386.deb
d9c614080772ca201dd9121b7bc21bf4 1459948 httpd optional apache2.2-bin_2.2.22-10_i386.deb
6a1784500bb6b7c3094f1cf607d6b2bf 2194 httpd optional apache2-mpm-worker_2.2.22-10_i386.deb
6addb686d73da09f2a7a09c6ad3f58e0 2296 httpd optional apache2-mpm-prefork_2.2.22-10_i386.deb
cc890d0451b5cfa1787b1354462a78cb 2256 httpd optional apache2-mpm-event_2.2.22-10_i386.deb
9a6f4cd47fa57c1e902d03b9ee5245ea 2286 httpd extra apache2-mpm-itk_2.2.22-10_i386.deb
fe940c2bd21cbd6cfb7bfb2ef52abdfb 176766 httpd optional apache2-utils_2.2.22-10_i386.deb
e0a39f0847e5dc610861bbf8496a29e9 107038 httpd optional apache2-suexec_2.2.22-10_i386.deb
84cec5ec31a30d8d4ae394829fabeabc 108748 httpd extra apache2-suexec-custom_2.2.22-10_i386.deb
fff63f167c24052c38b0f8dd18ecfa78 1390 httpd optional apache2_2.2.22-10_i386.deb
195b1f4ae046c72b6aa2d2eac29fdf58 2704712 doc optional apache2-doc_2.2.22-10_all.deb
b201b1c92fd1b08546441cab2b4c5492 137956 httpd extra apache2-prefork-dev_2.2.22-10_i386.deb
43bddc75c2769da38e675b74b381b497 139122 httpd extra apache2-threaded-dev_2.2.22-10_i386.deb
cb22b949c43e76ffeb97a79b9c005bd2 3502666 debug extra apache2-dbg_2.2.22-10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQFvDQbxelr8HyTqQRAmd6AKCQfTeUjeGqob54veIS9jsUWMUTlwCfQct/
7dy4/HquvJKXZL4Jea4pHIs=
=W4b0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 29 Aug 2012 07:25:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 1 22:33:01 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.