Bug 684311

Summary: Your browser sent a request that this server could not understand. Request header field is missing ':' separator.
Product: Red Hat Enterprise Linux 6 Reporter: robert
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0CC: gui1ty, jorton, khalasa, la_antorcha_guia, nicolas.mailhot, pahan, prc, sandro.bonazzola
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 624609 Environment:
Last Closed: 2011-09-16 08:22:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description robert 2011-03-11 18:23:57 UTC 
+++ This bug was initially created as a clone of Bug #624609 +++

Description of problem:

Lately, I've started getting a lot of “Request header field is missing ':' separator.” when accessing my fedora-hosted webmail

It seems a bug has been introduced apache-side or squirrelmail-side

I had some problem occurrences using various versions of firefox (linux and windows), and even a few times when using Links

Version-Release number of selected component (if applicable):
httpd-2.2.16-1.fc14

--- Additional comment from nicolas.mailhot on 2010-08-17 04:38:58 EDT ---

Created attachment 439071 [details]
Exemple of problem exchange captured by live http headers extension client-side

The error generated in the right pane was:

Bad Request

Your browser sent a request that this server could not understand.
Request header field is missing ':' separator.

pEyPnEsB%2B4

Apache Server at myserver.com Port 443

--- Additional comment from jorton on 2010-08-17 05:23:53 EDT ---

This is seen over SSL?

--- Additional comment from nicolas.mailhot on 2010-08-17 08:31:28 EDT ---

Yes, this is an https access

--- Additional comment from nicolas.mailhot on 2010-08-17 08:32:16 EDT ---

(you have all the traces and URLs used in the attached capture)

--- Additional comment from jorton on 2010-08-17 08:59:26 EDT ---

Can you try this build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2406801

it pulls in one bug fix from upstream.

--- Additional comment from nicolas.mailhot on 2010-08-17 13:32:40 EDT ---

I'll test this one now.

--- Additional comment from nicolas.mailhot on 2010-08-19 12:41:27 EDT ---

Seems fixed, many thanks

--- Additional comment from sandro.bonazzola on 2010-10-08 10:14:24 EDT ---

The package is still not in Fedora 14: latest httpd available is built 26/07/2010. The fix according to http://koji.fedoraproject.org/koji/taskinfo?taskID=2406801
 is dated Tue, 17 Aug 2010.

It isn't in fedora repo or in updates-testing repo. Can anybody push this to the repository?

--- Additional comment from bugzilla_redhat on 2010-10-26 16:26:58 EDT ---

Could you please push this fix in bodhi, so we can get it in F14 as a 0-day update?

Many thanks.

--- Additional comment from jorton on 2010-10-27 06:06:40 EDT ---

Sorry, yes, this bug shouldn't have been closed out.  I'm building 2.2.17 for f14 updates which has this fix.

--- Additional comment from jorton on 2010-10-27 06:07:15 EDT ---

*** Bug 646704 has been marked as a duplicate of this bug. ***

--- Additional comment from updates on 2010-10-27 06:15:36 EDT ---

httpd-2.2.17-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/httpd-2.2.17-1.fc14

--- Additional comment from updates on 2010-10-28 01:58:45 EDT ---

httpd-2.2.17-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update httpd'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/httpd-2.2.17-1.fc14

--- Additional comment from jorton on 2010-10-29 06:34:40 EDT ---

*** Bug 640959 has been marked as a duplicate of this bug. ***

--- Additional comment from updates on 2010-11-08 17:35:26 EST ---

httpd-2.2.17-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


====================================================

This bug also occurs on RHEL6 (httpd-2.2.15)
Comment 2 Joe Orton 2011-03-12 15:13:10 UTC 
The Fedora bug to which this corresponds is caused by an overlapping memcpy() in mod_ssl.  This issue was triggered by a change in glibc which meant an overlapping memcpy now causes data corruption - see bug 638477 for background.

The particular change in the glibc memcpy is not present in the RHEL 6 glibc, and this issue is not known to be reproducible in the RHEL 6 httpd.

Please:

a) describe exactly the symptoms you are seeing, and describe how you can reproduce them.

b) confirm the version of glibc you are using.

Please note that bugzilla is not a support tool and customers should contact Red Hat Technical Support in the first instance with any questions or issues you are having with the software; see:

  http://www.redhat.com/support/process/

for more information.
Comment 3 robert 2011-03-14 09:06:59 UTC 
Symptoms :
When accessing pages through SSL, I receive sometimes :

     Bad Request

     Your browser sent a request that this server could not understand.
     Request header field is missing ':' separator.

     olhuaqv3o1t29flvr0

It happens not often at the beginning, but it becomes worst if the server stays running for some time.  A simple 'refresh' of the page often succeed.

Disabling "mod_rewrite" (found on forums) seems to remove the problem, but it's hard to be sure as the problem does not always occur...

Currently, I solved the problem by compiling the httpd-2.2.17 source rpm for FC13, which seems to work normally without this issue, with the exact same configuration...

GLIBC : glibc-2.12-1.7.el6_0.3.i686
Comment 4 RHEL Program Management 2011-04-04 02:10:41 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 5 Joe Orton 2011-05-31 14:43:51 UTC 
Is this still reproducible with 2.2.15-9?
Comment 6 Joe Orton 2011-09-16 08:22:14 UTC 
If you have a reproduction case with the latest updates, please re-open.