Bug 949218

I have the same problem. Downgrading to 2.4.6-6.47.1 fixed the issue.

Downgraded to 2.4.6-6.47.1 fix the problem too.
It seems the problem comes form one of the module in apache2-prefork because downgrading apache2 was not enough to fix this issue.

Are you calling your php as cgi with suexec?

https://bugzilla.opensuse.org/show_bug.cgi?id=949254

Afaik we're using mod_php5. 

But mod_cgi is enabled too.

"a2enmod -l" gives me the following list:

actions alias auth_basic authn_file authz_host authz_groupfile authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout authn_core authz_core

Hope this helps.

Thank you.

Unfortunately I am unable reproduce it with a simple testcases, so I would like to ask you for testing.

There are two patches in this update, httpd-2.4.6-ap_some_auth_required_API_unusable.patch and httpd-2.4.6-chunk_header_parsing_defect.patch. 

I have disabled httpd-2.4.6-chunk_header_parsing_defect.patch first, the result rpms can be downloaded here:

http://download.opensuse.org/repositories/home:/pgajdos:/maintenance:/apache2/openSUSE_13.1_Update/x86_64/

@Petr: Just to be sure: Did you include

  enctype="multipart/form-data"

in the form of your test case?

yes 
http://download.opensuse.org/repositories/home:/pgajdos:/maintenance:/apache2/openSUSE_13.1_Update/x86_64/apache2-2.4.6-6.54.1.x86_64.rpm 

http://download.opensuse.org/repositories/home:/pgajdos:/maintenance:/apache2/openSUSE_13.1_Update/x86_64/apache2-prefork-2.4.6-6.54.1.x86_64.rpm

I meant yes it fix the probleme :-)

Great! I'll try the new rpms this afternoon.

*** Bug 949254 has been marked as a duplicate of this bug. ***

httpd-2.4.6-chunk_header_parsing_defect.patch is the patch causing the problem also for me.

Created attachment 650704 [details]
quick test case that shows empty $_POST; sometimes the multipart POST-string is appended to the page

* load the page
* press the button 
* view the var_dump()s of $_POST, $_GET and $_REQUEST

Created attachment 650705 [details]
correctly handled form, also multipart though (I removed a couple of hidden fields from the form in the first attachment)

*** Bug 949460 has been marked as a duplicate of this bug. ***

After installation of Petr's rpms from Comment 7 my test case does not show the problem anymore, so I assume Petr did a good job :)
Thank you!

Yes, but up-to-now the patch for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183 is missing.
So we need a patch for this which works ;-)

(In reply to Chris G. from comment #12)
> Created attachment 650704 [details]
> quick test case that shows empty $_POST; sometimes the multipart POST-string
> is appended to the page

Indeed, that works for me.

Security team: I suggest to release new update for 13.1 without httpd-2.4.6-chunk_header_parsing_defect.patch for now and try to fix CVE-2015-3183 later.

*** Bug 949308 has been marked as a duplicate of this bug. ***

(In reply to Markus Kolb from comment #16)
> Yes, but up-to-now the patch for
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183 is missing.

Of course, but this is another bug.

yes resubmit without this fix for now please, so we fix the regression asap.

Also in bug 938728 comment #37

*** Bug 949353 has been marked as a duplicate of this bug. ***

We've been affected also even on POST OPTION method.
Have wired results with davical, owncloud, roundcube 

 Error dispatching request to :,
 .ics</D href> received on call for event in davical or owncloud 

Typically this curl request was working with some remote ip, and absolutely not from some others

100% error from 212.41.206.188 (swisscom)

50% error 193.72.16.31 (green.ch)

40% error 81.63.130.58 (swisscom)

100% error 81.221.221.48 (fastadsl.ch)

100% working 217.162.26.130 (cablecom.ch)

100% working 176.31.224.222 (ovh.com)




curl "http://www.geojb.ch/index.php?ajaxActionRequest=Location.Zoom&" -H 
"Host: www.geojb.ch" -H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; 
rv:37.0) Gecko/20100101 Firefox/37.0" -H "Accept: text/javascript, 
text/html, application/xml, text/xml, */*" -H "Accept-Language: 
fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3" --compressed -H "X-Requested-With: 
XMLHttpRequest" -H "X-Prototype-Version: 1.7.1" -H "Content-Type: 
application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: 
http://www.geojb.ch/index.php" -H "Cookie: LangCookie=fr; 
CW3_current_project_cookie=geojb; 
MYCW3_PHP_SESSION=wu9HNbV04zANuBrHlmWz3Ly3AKx5AjWP3OM-L91JIN2; 
TestCookie=OK; jsLeftBarTools=44px"%"20838px"%"20541px"%"20318px" -H 
"Connection: keep-alive" -H "Pragma: no-cache" -H "Cache-Control: 
no-cache" --data 
"posted=1&js_folder_idx=1&selection_type=rectangle&selection_coords=567922.5049359959,223324.81171548116;568331.8849427928,222983.3891213389&features=&customMapsize=&show_crosshair=1&fake_reset=&ttswitch=on&js_accounting=version=0;hasJava=false;winInnerWidth=1280;winInnerHeight=859;screenWidth=1280;screenHeight=960;screenColorDepth=24&outline_label_text=Votre 
texte&tool=zoomin&project=geojb&recenter_x=&recenter_y=&recenter_doit=0&custom_scale=&shortcut_doit=0&openNodes=&layers[]=RASTER&layers[]=CorcellesR&layers[]=CourtelaryR&layers[]=CourtR&layers[]=CreminesR&layers[]=EschertR&layers[]=FerriereR&layers[]=La_HeutteR&layers[]=OrvinR&layers[]=RenanR&layers[]=RochesR&layers[]=SaugeR&layers[]=SonvilierR&layers[]=SoubozR&layers[]=VilleretR&layers[]=COUVERTUREDUSOL&layers[]=COUVERTUREDUSOL_SYMB&layers[]=COUVERTUREDUSOL_TEXTE&layers[]=CADASTRE&layers[]=BF_DS&layers[]=PARCELLAIRE&layers[]=PL&layers[]=BATIMENT&layers[]=BATIMENTS&layers[]=BATIMENT_NUMERO&layers[]=PFPA&layers[]=PFA12&layers[]=PFP12&layers[]=PFA3&layers[]=PFP3&layers[]=ODEL&layers[]=ODELPOINT&layers[]=ODELLIGNE&layers[]=ODELSURFACE&layers[]=ODELPROJET&layers[]=ODEL_TEXTE&layers[]=COUVERTUREDUSOL_LIGNE&layers[]=NOMENCLATURE&layers[]=LOCALISATION_RUE&layers[]=LOCALISATION_LIEU&layers[]=LOCALISATION_NOMLOCAL&outline_point_symbol=circle&outline_point_size=10&outline_point_color=#0000cd&outline_point_transparency=80&outline_line_size=2&outline_line_color=#0000cd&outline_line_transparency=80&outline_polygon_outline_color=#000000&outline_polygon_background_color=#ff9900&outline_polygon_transparency=60&outline_circle_radius=0&id_recenter_layer=&id_recenter_ids=&query_hilight=&query_return_attributes=&query_return_table=&query_select=&query_layer=&query_doit=&search_config=sample1&search_sort_column=&search_sort_direction=asc&search_number=&pdfMarginX=10&pdfMarginY=27.25&pdfMapAngle=&pdfMapCenterX=&pdfMapCenterY=&pdfA4x=210&pdfA4y=297&pdfA3x=297&pdfA3y=420&pdfOrientation=portrait&pdfrotatefreevalue=&pdfTitle=&pdfNote=&pdfReset=Effacer&recenter_scale=0&shortcut_id=-1&mapsize=1&null=sample0&pdfFormat=A4&pdfResolution=96&pdfScale=1000&"

Petr, please submit with the patch reverted.

sr#337404

This is an autogenerated message for OBS integration:
This bug (949218) was mentioned in
https://build.opensuse.org/request/show/337404 13.1 / apache2

I included the submission into openSUSE:Maintenance:4077
Please test this and provide feedback, then we can skip the usual wait time and release right away.

Version 2.4.6-6.56.1 works fine for me.

openSUSE-RU-2015:1721-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 949218
CVE References: 
Sources used:
openSUSE 13.1 (src):    apache2-2.4.6-6.53.1

Thank you all.

Closing.

One little remark: After updating using zypper apache gets restartet, but possibly the restart happens too early within the rpm. At least on our machines "zypper ps" said, that processes needed to be restarted and actually the POST problem vanished after a manual "service apache restart" only.

Regards,
Chris

Chris, I guess this is bug 893659?

Hmm, not sure if it's really the same as #893659.

According to /var/log/messages Apache was stopped and started again during "zypper up" but there was no error:

  2015-10-13T12:05:00.483609+02:00 specsrv systemd[1]: Reloading.
  2015-10-13T12:05:00.777163+02:00 specsrv systemd[1]: Stopping The Apache Webserver...
  2015-10-13T12:05:00.979319+02:00 specsrv systemd[1]: Starting The Apache Webserver...
  2015-10-13T12:05:01.139373+02:00 specsrv systemd[1]: Started The Apache Webserver.


So Apache was up and running but still as the older version. 

Only after another restart the patch was "activated".

Chris

Chris,

you are correct but I think that error there was caused by nature of the patch, even I have not look into this patch at all so far.

The reason for it can be the same as you have seen, though. The first guess about the reason tells me, that it could be this way: apache2 package gets updated, httpd is restarted and later on apache2-prefork (or other MPM) is updated.

apache2 calls the restart in its %post, that means right after its installation/update. The very first idea (without thinking about drawbacks) would be to move it to %posttrans, which would the restart move after update of all packages -- at least for 13.2 and Tumbleweed. Not sure about 13.1.

Thanks, Petr, for clarification.
Just wanted to add my above remark, in case someone else ran into this.