Apache regression ignores headers sent by CGI scripts introduced by CVE-2024-24795
This document (000021486) is provided subject to the disclaimer at the end of this document.
Environment
For a comprehensive list of affected products, please review the SUSE CVE announcement .
Situation
Because of changes to apache2 introduced by security fix CVE-2024-24795 a configuration change may be required as the fix changes the way how Content-Length and Transfer-Encoding header are used.
Resolution
If a (Fast)CGI script is being used, then the data is not trusted by default and Content-Headers are being removed by default. If the endpoint is trusted and/or the code behind the CGI script, the following change is needed in the existing configuration (for example, via htaccess) so it behaves as previously. For example, to fix it for PHP:
SetEnvIf Request_URI "\.php$" ap_trust_cgilike_clPlease adjust existing configurations as needed.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021486
- Creation Date: 08-Jul-2024
- Modified Date:08-Jul-2024
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
