A new default for the LimitRequestBody directive in httpd configuration
To fix CVE-2022-29404, the default value for the LimitRequestBody
directive in the Apache HTTP Server has been changed from 0
(unlimited) to 1 GiB in:
- Red Hat Enterprise Linux 8 starting with RHEL 8.7 RHSA-2022:7647
- Red Hat Enterprise Linux 9 starting with RHEL 9.1 RHSA-2022:8067
- Red Hat Software Collections with the asynchronous update RHSA-2022:6753
On systems where the value of LimitRequestBody
is not explicitly specified in an httpd
configuration file, updating the httpd
package will set LimitRequestBody
to the new default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this new 1 GiB default limit, httpd
will return the 413 Request Entity Too Large
error code.
If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd
configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes.
For example, to set a new 2 GiB limit, use:
LimitRequestBody 2147483648
Systems already configured to use any explicit value for the LimitRequestBody
directive are unaffected by this change.
Comments