httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r1162874 - in /httpd/httpd/branches/2.2.x: CHANGES modules/http/byterange_filter.c
Date Mon, 29 Aug 2011 20:38:08 GMT
On 8/29/2011 10:40 AM, jim@apache.org wrote:
> Author: jim
> Date: Mon Aug 29 15:40:19 2011
> New Revision: 1162874
> 
>  Changes with Apache 2.2.20
>  
> +  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
> +     core: Fix handling of byte-range requests to use less memory, to avoid
> +     denial of service. If the sum of all ranges in a request is larger than
> +     the original file, ignore the ranges and send the complete file.
> +     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]

The later sentence is clearly no protection against the flaw if the server
offers huge resources, such as .iso's, larger packages or large pdfs.  Also
we have handlers which aren't going to indicate a C-L.  It would seem that
the first sentence is comprehensive enough to flag as -3192, and the later
is a bug fix, but not really part of a security solution.


Mime
View raw message