Package: apache2 Version: 2.4.25-3+deb9u6 OS details:
Debian GNU/Linux 9 (stretch) Linux debian 4.18.16-x86_64-linode118 #1 SMP PREEMPT Mon Oct 29 15:38:25 UTC 2018 x86_64 GNU/Linux Apache details: Server version: Apache/2.4.25 (Debian) Server built: 2018-11-03T18:46:19 Steps to reproduce: 1. Install apache2, configure it to enable cgi scripts. (a2enmod cgi, etc.) 2. Create an executable file in /usr/lib/cgi-bin called, for example, "test", containing the following four lines: #!/bin/bash echo "Content-Type: text/plain" echo "" tr -dc 'a-z0-9' </dev/urandom | fold -w 8 | head -n 1 3. Attempt to execute the script from a web browser by visiting http://<ip of server>/cgi-bin/test Expected results: A plain text web page containing an 8 character random string. Actual results: "tr" consumes 100% CPU and hangs. If you "kill" tr, a correct web page is returned, containing the string. Notes: This *used* to work. An update in past few weeks has broken it. Unfortunately I failed to notice precisely which update. If you run "tr -dc 'a-z0-9' </dev/urandom | fold -w 8 | head -n 1" from a shell, even as the www-data user, it works as expected. Excuting the cgi script from a shell also works as expected. I've reproduced this on two separate, unrelated Debian 9 systems. (I formatted this report by hand because the systems in question don't have internet access, so I couldn't use "reportbug". Apologies for any mistakes.)
