[Bug 1226217] Regression of security fix: Apache ignores headers sent by CGI scripts
https://bugzilla.suse.com/show_bug.cgi?id=1226217 https://bugzilla.suse.com/show_bug.cgi?id=1226217#c22 Sascha Wessels <sascha.wessels@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sascha.wessels@suse.com --- Comment #22 from Sascha Wessels <sascha.wessels@suse.com> --- (In reply to David Anes from comment #19)
Marcus, can we update CVE pages for Apache mentioning so we can document the change in behavior?
Something like this should work:
"The security update for CVE-2024-24795 may need updating Apache 2 configuration as it changes how Content-Length and Transfer-Encoding headers are used.
If a (Fast)CGI script is being used, then the data is not trust by default and Content-Header is being removed by default. If you trust the endpoint and/or the code behind the CGI script, the following change is needed in your configuration (for example, via htaccess) so it behaves as previously. For example, to fix it for PHP:
SetEnvIf Request_URI "\.php$" ap_trust_cgilike_cl
Please, adjust that configuration as needed. "
TID proposal: === Title: Apache regression ignores headers sent by CGI scripts introduced by CVE-2024-24795 Description: Because of changes to apache2 introduced by security fix CVE-2024-24799 a configuration change may be required as the fix changes the way how Content-Length and Transfer-Encoding header are used. Resolution: If a (Fast)CGI script is being used, then the data is not trusted by default and Content-Headers are being removed by default. If the endpoint is trusted and/or the code behind the CGI script, the following change is needed in the existing configuration (for example, via htaccess) so it behaves as previously. For example, to fix it for PHP: SetEnvIf Request_URI "\.php$" ap_trust_cgilike_cl Please adjust existing configurations as needed. === Comments/enhalncements welcome! Once agreed I will create a TID for it. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com