Bug#844351: marked as done (apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue)

To: Hendrik Jäger <debian-bugs@henk.geekmail.org>
Subject: Bug#844351: marked as done (apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 02 Dec 2022 14:12:05 +0000
Message-id: <[🔎] handler.844351.D844351.16699901654131847.ackdone@bugs.debian.org>
Reply-to: 844351@bugs.debian.org
References: <20221202144023.4d9b434d@frustcomp.hnjs.home.arpa> <125C02D1-08F0-430E-8F7F-17867CBA42E5@xmtp.net>

Your message dated Fri, 2 Dec 2022 14:40:23 +0100
with message-id <20221202144023.4d9b434d@frustcomp.hnjs.home.arpa>
and subject line 
has caused the Debian Bug report #844351,
regarding apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
844351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844351
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue
From: Jay Wren <jrwren@xmtp.net>
Date: Mon, 14 Nov 2016 12:09:44 -0500
Message-id: <125C02D1-08F0-430E-8F7F-17867CBA42E5@xmtp.net>

Package: apache2
Version: 2.4.10-10+deb8u7
Severity: important
Tags: upstream

Dear Maintainer,

  * What led up to the situation?

a backend with correct 100 continue support and a web client which expects 100-continue

  * What exactly did you do (or not do) that was effective (or
    ineffective)?

Reverse Proxy a backend.

  * What was the outcome of this action?

Premature 100-continue response from apache, before backend responds.

  * What outcome did you expect instead?

No 100-continue unless backend responds with 100-continue


https://bz.apache.org/bugzilla/show_bug.cgi?id=60330

As a reverse proxy, a 100 continue response is sent prematurely when a request contains expects: 100-continue. This causes the requesting client to send a body. The apache httpd proxy will then read the body and attempt to send it to the backend, but the backend already sent an error and should be allowed to NOT read the remaining request body, which never should have existed. When the backend does not read the request body mod_proxy_http errors and returns a 500 error to the client. The client never receives the correct error message.



-- Package-specific info:

-- System Information:
Debian Release: 8.6
 APT prefers stable
 APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-45-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.10-10+deb8u7
ii  apache2-data   2.4.10-10+deb8u7
ii  apache2-utils  2.4.10-10+deb8u7
ii  dpkg           1.17.27
ii  lsb-base       4.1+Debian13+nmu1
ii  mime-support   3.58
ii  perl           5.20.2-3+deb8u6
ii  procps         2:3.3.9-9

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.35

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.19-18+deb8u6
ii  libldap-2.4-2            2.4.40+dfsg-1+deb8u2
ii  liblua5.1-0              5.1.5-7.1
ii  libpcre3                 2:8.35-3.3+deb8u4
ii  libssl1.0.0              1.0.1t-1+deb8u3
ii  libxml2                  2.9.1+dfsg1-5+deb8u3
ii  perl                     5.20.2-3+deb8u6
ii  zlib1g                   1:1.2.8.dfsg-2+b1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.10-10+deb8u7
ii  apache2-bin  2.4.10-10+deb8u7

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 844351-done@bugs.debian.org

From: Hendrik Jäger <debian-bugs@henk.geekmail.org>

Date: Fri, 2 Dec 2022 14:40:23 +0100

Message-id: <20221202144023.4d9b434d@frustcomp.hnjs.home.arpa>
Control: -1 fixed 2.4.40
--- End Message ---

Reply to:

Prev by Date: Bug#807120: marked as done (Deprecate mod_rpaf, transition to mod_remoteip)
Next by Date: Bug#925061: marked as done (apache2: Cannot disabled old TLS Versions (prior to TLS1.2))
Previous by thread: Bug#807120: marked as done (Deprecate mod_rpaf, transition to mod_remoteip)
Next by thread: Bug#925061: marked as done (apache2: Cannot disabled old TLS Versions (prior to TLS1.2))
Index(es):
- Date
- Thread