Comment # 22 on bug 1226217 from Sascha Wessels

(In reply to David Anes from comment #19)
> Marcus, can we update CVE pages for Apache mentioning so we can document the
> change in behavior?
> 
> Something like this should work:
> 
> "The security update for CVE-2024-24795 may need updating Apache 2
> configuration as it changes how Content-Length and Transfer-Encoding headers
> are used.
> 
> If a (Fast)CGI script is being used, then the data is not trust by default
> and Content-Header is being removed by default. If you trust the endpoint
> and/or the code behind the CGI script, the following change is needed in
> your configuration (for example, via htaccess) so it behaves as previously.
> For example, to fix it for PHP:
> 
>   SetEnvIf Request_URI "\.php$" ap_trust_cgilike_cl
> 
> Please, adjust that configuration as needed.
> "

TID proposal:

===
Title: Apache regression ignores headers sent by CGI scripts introduced by
CVE-2024-24795

Description: 
Because of changes to apache2 introduced by security fix CVE-2024-24799 a
configuration change may be required as the fix changes the way how
Content-Length and Transfer-Encoding header are used. 

Resolution:
If a (Fast)CGI script is being used, then the data is not trusted by default
and Content-Headers are being removed by default. If the endpoint is trusted
and/or the code behind the CGI script, the following change is needed in
the existing configuration (for example, via htaccess) so it behaves as
previously. For example, to fix it for PHP:

  SetEnvIf Request_URI "\.php$" ap_trust_cgilike_cl

Please adjust existing configurations as needed.
===

Comments/enhalncements welcome! Once agreed I will create a TID for it.