Bug 736592

Summary: httpd: RHSA-2011:1245 regressions [rhel-6]
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Hoger <thoger>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: prc, rdassen, sven, syeghiay, wnefal+redhatbugzilla
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-20 16:57:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747120    

Description Tomas Hoger 2011-09-08 07:59:23 UTC 
Description of problem:
RHSA-2011:1245 provided a fix for CVE-2011-3192, which significantly changed Ranges handling code and resulted in few regressions:

suffix-byte-range-spec ("-" suffix-length) were handled as equivalent to 0-suffix-length, resulting in the first suffix-length + 1 bytes being returned, rather than last suffix-length bytes.  Reported upstream in:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51748

httpd did not return 416 error when all specified ranges were unsatisfiable. This can happen if range specification is syntactically incorrect, or if first-byte-pos is behind the end of the file.

The fix as applied to upstream 2.2.x SVN branch:
http://svn.apache.org/viewvc?view=revision&revision=1165607
Comment 6 Tomas Hoger 2011-09-29 12:10:57 UTC 
I'd add: https://issues.apache.org/bugzilla/show_bug.cgi?id=51878
Comment 11 errata-xmlrpc 2011-10-20 16:57:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1391.html