httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CVE-2011-3192" by wrowe
Date Fri, 09 Sep 2011 15:52:43 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CVE-2011-3192" page has been changed by wrowe:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=2&rev2=3

  
  Changes since last update
  =========================
- 2.2.20 has a fix. 2.2.21 a bitter on. 1.3. not vulnerable. Further regex/rule
- improments.  1.3 support stopgap module.  Explain DoS. Reduce severity for 1.3.
+ 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable. 
+ Further regex/rule improvements.  Explained DoS.  Added wiki link.  
- Added wiki link. Highlight fact that LimitRequestFieldSize is not sufficient.
+ Highlight fact that LimitRequestFieldSize workaround was insufficient.
  
  Changes since update 1
  =========================
@@ -120, +120 @@

  2-3 and MSIE 3. Depending on your user community - it is likely that you
  can use option '3' safely for this older 'Request-Range'.
  
+ 0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most
- 0) Consult
-  for more recent
-    information (as this is the final advisory).
+    recent information (as this is the final advisory).
  
  1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
     either ignore the Range: header or reject the request.
@@ -191, +190 @@

  Note
  ====
  
- Earlier advisories suggested theuse of LimitRequestFieldSize. This method is
+ Earlier advisories suggested the use of LimitRequestFieldSize. This mitigation
- not fully effective and can by bypassed by splitting the attack vector up
+ was not fully effective and can by bypassed by splitting the attack vector up
  across multiple headers. Therefore you should not rely on LimitRequestFieldSize
  alone.
  
@@ -210, +209 @@

  ========
  
  Apache HTTPD users who are concerned about a DoS attack against their server
- should 1) upgrade to version 2.2.20, 2) if not possible - apply the provided
- patches or 3) consider implementing any of the above mitigations immediately.
+ should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), 
+ 2) if not possible - apply the provided patches or 3) consider implementing 
+ any of the above mitigations immediately.
  
  When using a third party attack tool to verify vulnerability - note that most
  of the versions in the wild currently check for the presence of mod_deflate;
@@ -222, +222 @@

  Planning:
  =========
  
- No further advisories are planned. However we will track information at
+ No further advisory email announcements are planned. However we will track 
+ minor refinements of this advisory at;
+ 
+   http://httpd.apache.org/security/CVE-2011-3192.txt
+ 
+ Further recommendations and discussion on workarounds, or user-agent
+ specific complications of these fixes will be tracked at;
+ 
+   http://wiki.apache.org/httpd/CVE-2011-3192
+ 
  }}}
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message