https://bz.apache.org/bugzilla/show_bug.cgi?id=68973
--- Comment #6 from [email protected] --- I just spent three hours debugging our application which started to behave in weird ways when accessed from Windows clients, while on other clients it continued to work. The reason is that various .NET methods don't fully support responses with Transfer-Encoding chunked, which Apache started to introduce in the HTTP responses out of nowhere. The analysis would have taken even longer if we didn't had one server left where the application still worked, so I was able to compare their configuration and code. I actually stumbled upon the doucmentation of ap_trust_cgilike_cl at https://httpd.apache.org/docs/current/env.html#cgilike but discarded it because it says "Available in 2.4.59 and later", which we don't run. Only then to later find out, that the package maintainer backported the changes for CVE-2024-24795. I'm aware that the change will not be rolled back in this case, but still would like to leave a note that in similar situations in the future security and backwards compatibility should be weighed up and not unconditionally decided in favor of security. CVE-2024-24795 has a score of 4.0, which means it has almost no relevance in practice, so maybe the breaking change should have been introduced only in the next major version, while minor updates stay with a default value of ap_trust_cgilike_cl = 1. If someone wants to fix the security issue for his existing setup as well, he could set it to 0. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
