Hide Forgot
Description of problem: New version of httpd package stopped to send specification error message in the response body. Version-Release number of selected component (if applicable): httpd-2.2.15-60 How reproducible: always Steps to Reproduce: 1. send incorrect request to the httpd # perl -e 'print "GET / HTTP/1.0\n","Cookie: sessioncookie=qwertyuiop0987654321zxcvbnm\n"," ", "A"x8180, "\n\n"' | nc localhost 80 2. see the output Actual results: """ HTTP/1.1 400 Bad Request Date: Mon, 06 Feb 2017 14:30:24 GMT Server: Apache/2.2.15 (Red Hat) Content-Length: 325 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.2.15 (Red Hat) Server at qeos-192.lab.eng.rdu2.redhat.com Port 80</address> </body></html> [0 root@qeos-192 CVE-2012-0053-httpd-cookie-exposure-due-to-error-responses]# rpm -qa httpd httpd-2.2.15-60.el6.x86_64 """ Expected results: """ HTTP/1.1 400 Bad Request Date: Mon, 06 Feb 2017 14:29:05 GMT Server: Apache/2.2.15 (Red Hat) Content-Length: 418 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Size of a request header field after folding exceeds server limit.<br /> <pre> Cookie </pre> </p> <hr> <address>Apache/2.2.15 (Red Hat) Server at qeos-194.lab.eng.rdu2.redhat.com Port 80</address> </body></html> [0 root@qeos-194 zk]# rpm -qa httpd httpd-2.2.15-54.el6_8.x86_64 """ Additional info: The bug was found on the errata 2016:25562-01.
Another thing I've spottedis that also reasons for rejection are different for 'long continuation' and 'missing colon' parts of tests: 'long header line' old: "Size of a request header field exceeds server limit." new: "Size of a request header field exceeds server limit." 'long continuation' old: "Size of a request header field after folding exceeds server limit." new: "Size of a request header field exceeds server limit." 'missing colon' old: "Request header field is missing ':' separator." new: no explanation
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com/