Package: apache2 Version: 2.4.62-1~deb12u1 Severity: important X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
Dear Maintainer, After upgrading apache2 packages, we noticed that our SEO rewriting rules in apache2 no longer worked and Tomcat tried to access non-existing file paths with URL encoded questionmarks. I have first noticed that is issue affects Debian 12, but I can confirm that it also affects Debian 11, so this happens in oldstable, apache2 2.4.62-1~deb11u1, too. To show the issue, you'll want to enable the following mods: a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm rewrite I have set up a balancer worker in mods-available/proxy_balancer.conf: <Proxy balancer://tomcat> BalancerMember ajp://localhost:8009 secret=youllneverknow </Proxy> I have narrowed the issue down to using a proxy RewriteRule inside a Directory block. So to reproduce, set up /etc/apache2/sites-available/000-default.conf like this: <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory "/var/www/html"> DirectoryIndex index.html RewriteEngine On RewriteRule ^/?(.*?)$ balancer://tomcat/demo/index.jsp?rewrite=$1 [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA] </Directory> </VirtualHost> To illustrate the issue, I have set up a simple /demo/ application in Tomcat 10, but the problem is caused by the Apache2 webserver, so this part is not relevant here. Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to http://127.0.0.1/foo/bar/?someparam will result in the following request being proxied to tomcat, as is expected: GET /demo/index.jsp?rewrite=foo/bar/&someparam After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled: GET /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam You can see that the complete parameter string is added twice now, with the leading ? being escaped the first time around, which in turn causes the path to be completely messed up, so Tomcat won't be able to find the file and returns a 404 status. When turning on debug logging in apache2, one can see that the request path is still fine during mod_rewrite processing, it only gets broken during mod_proxy processing. The issue does not occur, when the RewriteRule is placed outside of the Directory block. Unfortunately, this is not a viable workaround for us, we really need to be able to use this inside <Directory> and we need the full flexibility of mod_rewrite too, so we cannot implement the same thing using ProxyPass, either. For now, the only resolution is to downgrade the apache2 packages: apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1 apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1 apache2-utils=2.4.61-1~deb12u1 After the downgrade, the RewriteRule with the proxy directive is back to working as expected. As 2.4.62-1~deb12u1 contains security fixes, it feels like having to pin the previous apache2 version is not a good solution, but upgrading it is not possible until this is fixed. If I had to guess, this may be caused by the following change: mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s). PR 69168. [Yann Ylavic] -- Package-specific info: -- System Information: Debian Release: 12.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.11-8-pve (SMP w/24 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.62-1~deb12u1 ii apache2-data 2.4.62-1~deb12u1 ii apache2-utils 2.4.62-1~deb12u1 ii init-system-helpers 1.65.2 ii media-types 10.0.0 ii perl 5.36.0-7+deb12u1 ii procps 2:4.0.2-3 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages apache2 recommends: ii ssl-cert 1.1.2 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2-bin depends on: ii libapr1 1.7.2-3 ii libaprutil1 1.6.3-1 ii libaprutil1-dbd-sqlite3 1.6.3-1 ii libaprutil1-ldap 1.6.3-1 ii libbrotli1 1.0.9-2+b6 ii libc6 2.36-9+deb12u8 ii libcrypt1 1:4.4.33-2 ii libcurl4 7.88.1-10+deb12u7 ii libjansson4 2.14-2 ii libldap-2.5-0 2.5.13+dfsg-5 ii liblua5.3-0 5.3.6-2 ii libnghttp2-14 1.52.0-1+deb12u1 ii libpcre2-8-0 10.42-1 ii libssl3 3.0.14-1~deb12u1 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii perl 5.36.0-7+deb12u1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages apache2-bin suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> pn www-browser <none> Versions of packages apache2 is related to: ii apache2 2.4.62-1~deb12u1 ii apache2-bin 2.4.62-1~deb12u1 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] /etc/apache2/conf-available/charset.conf changed [not included] /etc/apache2/conf-available/localized-error-pages.conf changed [not included] /etc/apache2/conf-available/other-vhosts-access-log.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/conf-available/serve-cgi-bin.conf changed [not included] /etc/apache2/mods-available/actions.conf changed [not included] /etc/apache2/mods-available/alias.conf changed [not included] /etc/apache2/mods-available/autoindex.conf changed [not included] /etc/apache2/mods-available/cache_disk.conf changed [not included] /etc/apache2/mods-available/cgid.conf changed [not included] /etc/apache2/mods-available/dav_fs.conf changed [not included] /etc/apache2/mods-available/deflate.conf changed [not included] /etc/apache2/mods-available/dir.conf changed [not included] /etc/apache2/mods-available/http2.conf changed [not included] /etc/apache2/mods-available/info.conf changed [not included] /etc/apache2/mods-available/ldap.conf changed [not included] /etc/apache2/mods-available/mime.conf changed [not included] /etc/apache2/mods-available/mime_magic.conf changed [not included] /etc/apache2/mods-available/mpm_event.conf changed [not included] /etc/apache2/mods-available/mpm_prefork.conf changed [not included] /etc/apache2/mods-available/mpm_worker.conf changed [not included] /etc/apache2/mods-available/negotiation.conf changed [not included] /etc/apache2/mods-available/proxy.conf changed [not included] /etc/apache2/mods-available/proxy_balancer.conf changed [not included] /etc/apache2/mods-available/proxy_ftp.conf changed [not included] /etc/apache2/mods-available/proxy_html.conf changed [not included] /etc/apache2/mods-available/reqtimeout.conf changed [not included] /etc/apache2/mods-available/setenvif.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/mods-available/status.conf changed [not included] /etc/apache2/mods-available/userdir.conf changed [not included] /etc/apache2/ports.conf changed [not included] /etc/apache2/sites-available/000-default.conf changed [not included] /etc/apache2/sites-available/default-ssl.conf changed [not included] -- no debconf information