httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <ames.g...@gmail.com>
Subject Re: svn commit: r1162874 - in /httpd/httpd/branches/2.2.x: CHANGES modules/http/byterange_filter.c
Date Mon, 29 Aug 2011 20:49:34 GMT
On Mon, Aug 29, 2011 at 4:38 PM, William A. Rowe Jr. <wrowe@rowe-clan.net>wrote:

> On 8/29/2011 10:40 AM, jim@apache.org wrote:
> > Author: jim
> > Date: Mon Aug 29 15:40:19 2011
> > New Revision: 1162874
> >
> >  Changes with Apache 2.2.20
> >
> > +  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
> > +     core: Fix handling of byte-range requests to use less memory, to
> avoid
> > +     denial of service. If the sum of all ranges in a request is larger
> than
> > +     the original file, ignore the ranges and send the complete file.
> > +     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric
> Covener]
>
> The later sentence is clearly no protection against the flaw if the server
> offers huge resources, such as .iso's, larger packages or large pdfs.  Also
> we have handlers which aren't going to indicate a C-L.  It would seem that
> the first sentence is comprehensive enough to flag as -3192, and the later
> is a bug fix, but not really part of a security solution.
>
>
the 2.2.x fix has no dependency on the handler setting a Content-Length.
"original file" is the sum of lengths of all the buckets prior to the EOS.
if the handler is streaming or otherwise doesn't have an EOS, you get a 200
before or after the fix.

Greg

Mime
View raw message