[request-tracker-maintainers] Bug#674924: Bug#674924: request-tracker3.8: Web interface periodically stops working after DSA-2480-1
Will Aoki
waoki at umnh.utah.edu
Mon May 28 18:35:24 UTC 2012
On Mon, May 28, 2012 at 06:00:56PM +0100, Dominic Hargreaves wrote:
> Could you check whether the problem goes away if you downgrade to
> 3.8.8-7+squeeze1 (making sure you stop and start apache afterwards)?
I'll do that and see if support staff still see the problem. It'll take
a day or so to be sure it's not happening.
> Is the host dedicated to RT or are there other applications/pages
> being served from Apache?
It's a dedicated virtual machine.
> Is it possible that other changes were made to the system configuration
> which have only just been picked up at the point you upgraded?
I don't have record of any configuration changes being made. The only
upgrade I see that might have touched something is the OpenSSL upgrade
installed on the 17th, if Apache wasn't restarted. Here's a transcript
of all upgrades since the last reboot before installing
3.8-3.8.8-7+squeeze2:
[May 17]
cfengine:rt:/bin/sh -c 'DEB: Preconfiguring packages ...
cfengine:rt:/bin/sh -c 'DEB: (Reading database ... 51406 files and directories currently installed.)
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace libssl0.9.8 0.9.8o-4squeeze12 (using .../libssl0.9.8_0.9.8o-4squeeze13_amd64.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement libssl0.9.8 ...
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace openssl 0.9.8o-4squeeze12 (using .../openssl_0.9.8o-4squeeze13_amd64.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement openssl ...
cfengine:rt:/bin/sh -c 'DEB: Processing triggers for man-db ...
cfengine:rt:/bin/sh -c 'DEB: Setting up libssl0.9.8 (0.9.8o-4squeeze13) ...
cfengine:rt:/bin/sh -c 'DEB: Setting up openssl (0.9.8o-4squeeze13) ...
[May 23]
cfengine:rt:/bin/sh -c 'DEB: (Reading database ... 51406 files and directories currently installed.)
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace libxml2 2.7.8.dfsg-2+squeeze3 (using .../libxml2_2.7.8.dfsg-2+squeeze4_amd64.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement libxml2 ...
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace sudo 1.7.4p4-2.squeeze.2 (using .../sudo_1.7.4p4-2.squeeze.3_amd64.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement sudo ...
cfengine:rt:/bin/sh -c 'DEB: Processing triggers for man-db ...
cfengine:rt:/bin/sh -c 'DEB: Setting up libxml2 (2.7.8.dfsg-2+squeeze4) ...
cfengine:rt:/bin/sh -c 'DEB: Setting up sudo (1.7.4p4-2.squeeze.3) ...
[May 24]
cfengine:rt:/bin/sh -c 'DEB: Preconfiguring packages ...
cfengine:rt:/bin/sh -c 'DEB: (Reading database ... 51406 files and directories currently installed.)
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace request-tracker3.8 3.8.8-7+squeeze1 (using .../request-tracker3.8_3.8.8-7+squeeze2_all.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement request-tracker3.8 ...
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace rt3.8-clients 3.8.8-7+squeeze1 (using .../rt3.8-clients_3.8.8-7+squeeze2_all.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement rt3.8-clients ...
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace rt3.8-apache2 3.8.8-7+squeeze1 (using .../rt3.8-apache2_3.8.8-7+squeeze2_all.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement rt3.8-apache2 ...
cfengine:rt:/bin/sh -c 'DEB: Preparing to replace rt3.8-db-mysql 3.8.8-7+squeeze1 (using .../rt3.8-db-mysql_3.8.8-7+squeeze2_all.deb) ...
cfengine:rt:/bin/sh -c 'DEB: Unpacking replacement rt3.8-db-mysql ...
cfengine:rt:/bin/sh -c 'DEB: Processing triggers for man-db ...
cfengine:rt:/bin/sh -c 'DEB: Setting up rt3.8-clients (3.8.8-7+squeeze2) ...
cfengine:rt:/bin/sh -c 'DEB: Setting up rt3.8-apache2 (3.8.8-7+squeeze2) ...
cfengine:rt:/bin/sh -c 'DEB: Setting up rt3.8-db-mysql (3.8.8-7+squeeze2) ...
cfengine:rt:/bin/sh -c 'DEB: Setting up request-tracker3.8 (3.8.8-7+squeeze2) ...
cfengine:rt:/bin/sh -c 'DEB: **WARNING**
cfengine:rt:/bin/sh -c 'DEB: **WARNING** If you are using mod_perl or any form of persistent perl
cfengine:rt:/bin/sh -c 'DEB: **WARNING** process such as FastCGI or SpeedyCGI, you will need to
cfengine:rt:/bin/sh -c 'DEB: **WARNING** restart your web server and any persistent processes now.
cfengine:rt:/bin/sh -c 'DEB: **WARNING**
cfengine:rt:/bin/sh -c 'DEB: **WARNING**
cfengine:rt:/bin/sh -c 'DEB: **WARNING** If you are using mod_perl or any form of persistent perl
cfengine:rt:/bin/sh -c 'DEB: **WARNING** process such as FastCGI or SpeedyCGI, you will need to
cfengine:rt:/bin/sh -c 'DEB: **WARNING** restart your web server and any persistent processes now.
cfengine:rt:/bin/sh -c 'DEB: **WARNING**
cfengine:rt:/bin/sh -c 'DEB: dbconfig-common: writing config to /etc/dbconfig-common/request-tracker3.8.conf
cfengine:rt:/bin/sh -c 'DEB: dbconfig-common: flushing administrative password
cfengine:rt:/bin/sh -c 'DEB: No users with unsalted or weak cryptography found.
cfengine:rt:/bin/sh -c 'DEB: pam_mount(spawn.c:102): error setting uid to 0
cfengine:rt:/bin/sh -c 'DEB: rt-vulnerable-passwords-3.8 invoked successfully on upgrade
cfengine:rt:/bin/sh -c 'DEB: Can't determine perl binary that RT uses; assuming /usr/bin/perl
cfengine:rt:/bin/sh -c 'DEB: Cleaning up 5 transactions
cfengine:rt:/bin/sh -c 'DEB: Done.
cfengine:rt:/bin/sh -c 'DEB: pam_mount(spawn.c:102): error setting uid to 0
cfengine:rt:/bin/sh -c 'DEB: rt-clean-user-txns-3.8 invoked successfully on upgrade
> Can you confirm which webserver mode you are using (fastcgi, mod_perl)
> and any provide relevant config snippets (for example are you including
> config from /etc/request-tracker3.8 in Apache, or configuring things
> manually?
It's using mod_perl.
---- BEGIN /etc/request-tracker3.8/apache2-modperl2.conf ----
# To use RT together with mod_perl2, available in the
# libapache2-mod-perl2 package, include this file with:
#
# Include /etc/request-tracker3.8/apache2-modperl2.conf
#
# into your Apache configuration file, in a virtual host section.
# You will need to enable the Apache modules: perl, actions, rewrite
#
# The best place for this in the Debian Apache2 default situation is
# near the end of the VirtualHost section in the file
# /etc/apache2/sites-available/default.
# You might want to enable this line
# AddDefaultCharset UTF-8
PerlModule Apache2::RequestRec Apache2::compat
PerlModule Apache::DBI
PerlRequire /usr/share/request-tracker3.8/libexec/webmux.pl
PerlSetVar MasonArgsMethod CGI
# Normally a request for a directory will be rewritten to index.html
# (or similar) by default if that file exists. For some reason this does
# not happen with the handler being set to perl-script. We thus have to
# do it ourselves using mod_rewrite.
RewriteEngine on
# You might need to alter these two lines which refer to /rt to match
# whatever base URL you are using for your rt3 site.
RewriteRule ^/rt$ /rt/
RewriteRule ^/rt/(.*)$ /usr/share/request-tracker3.8/html/$1
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(/usr/share/request-tracker3.8/html.*)/$ $1/index.html
# We need this to prevent requests for images being sent through to
# the RT::Mason handler.
<Directory /usr/share/request-tracker3.8/html/NoAuth/images>
SetHandler default-handler
</Directory>
<Directory /usr/share/request-tracker3.8/html>
SetHandler perl-script
PerlHandler RT::Mason
</Directory>
# Limit mail gateway access to localhost by default
---- END /etc/request-tracker3.8/apache2-modperl2.conf ----
Config for the SSL site we're accessing it from:
---- BEGIN /etc/apache2/sites-enabled/rt ----
<VirtualHost _default_:443>
ServerAdmin [redacted due to spambots]
DocumentRoot /www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
Include "/etc/request-tracker3.8/apache2-modperl2.conf"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile [redacted]
SSLCertificateKeyFile [redacted]
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile [redacted]
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
---- END /etc/apache2/sites-enabled/rt ----
More information about the pkg-request-tracker-maintainers
mailing list