httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r1162874 - in /httpd/httpd/branches/2.2.x: CHANGES modules/http/byterange_filter.c
Date Mon, 29 Aug 2011 21:32:11 GMT
On 8/29/2011 3:48 PM, Stefan Fritsch wrote:
> On Mon, 29 Aug 2011, William A. Rowe Jr. wrote:
> 
>> On 8/29/2011 10:40 AM, jim@apache.org wrote:
>>> Author: jim
>>> Date: Mon Aug 29 15:40:19 2011
>>> New Revision: 1162874
>>>
>>>  Changes with Apache 2.2.20
>>>
>>> +  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
>>> +     core: Fix handling of byte-range requests to use less memory, to avoid
>>> +     denial of service. If the sum of all ranges in a request is larger than
>>> +     the original file, ignore the ranges and send the complete file.
>>> +     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
>>
>> The later sentence is clearly no protection against the flaw if the server
>> offers huge resources, such as .iso's, larger packages or large pdfs.  Also
>> we have handlers which aren't going to indicate a C-L.  It would seem that
>> the first sentence is comprehensive enough to flag as -3192, and the later
>> is a bug fix, but not really part of a security solution.
> 
> I have included the second part because it is related to the 0-,0-,0-,... issue
> (http://seclists.org/bugtraq/2007/Jan/83). But it really has nothing to do with
> CVE-2011-3192. Feel free to rephrase/remove/split into two entries/...

+1 to split them into two different changes.


Mime
View raw message