[Bug 1226217] Regression of security fix: Apache ignores headers sent by CGI scripts
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1226217 https://bugzilla.suse.com/show_bug.cgi?id=1226217#c5 David Anes <david.anes@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david.anes@suse.com --- Comment #5 from David Anes <david.anes@suse.com> --- (In reply to Dirk Stoecker from comment #4)
@Petr: Is far as I can see that's not related. The issue here is that apache in the buggy patched version ignores the lines which the CGI script outputs (i.e. sends to apache via stdout) and instead does what it wants on the output side.
Contrary to what my initial report says after looking at the patch which seems to be the cause probably only headers content-length and transfer-encoding are affected.
As said a downgrade to the previous version 14.1 fixes the issue, so the reason can only be in the applied SUSE security patches.
Hello Dirk, I'm working on this one right now. My plan is the following: 1. Creating a simple reproducing environment. 2. Test against latest apache version in TW (to validate if this happens with latest published version of Apache). 3. Bisect the changes on the aforementioned patches (there are 3 in total). 4. Debug the issue and evaluate the best course of action. Let me work on it and I'll come back to you asap. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com