A new default for the LimitRequestBody directive in httpd configuration

To fix CVE-2022-29404, the default value for the LimitRequestBody directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB in:

• Red Hat Enterprise Linux 8 starting with RHEL 8.7 RHSA-2022:7647
• Red Hat Enterprise Linux 9 starting with RHEL 9.1 RHSA-2022:8067
• Red Hat Software Collections with the asynchronous update RHSA-2022:6753

On systems where the value of LimitRequestBody is not explicitly specified in an httpd configuration file, updating the httpd package will set LimitRequestBody to the new default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this new 1 GiB default limit, httpd will return the 413 Request Entity Too Large error code.

If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes.

For example, to set a new 2 GiB limit, use:

LimitRequestBody 2147483648

Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected by this change.