httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CVE-2011-3192" by wrowe
Date Fri, 09 Sep 2011 15:59:33 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CVE-2011-3192" page has been changed by wrowe:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=3&rev2=4

  overlapping ranges are handled by the Apache HTTPD server prior to version
  2.2.20:
  
+      http://seclists.org/fulldisclosure/2011/Aug/175 
+ 
  An attack tool is circulating in the wild. Active use of this tool has
  been observed.
  
@@ -72, +74 @@

  and resolved with this server side fix. The other issue is fundamentally a
  protocol design issue dating back to 2007:
  
+       http://seclists.org/bugtraq/2007/Jan/83 
+ 
  The contemporary interpretation of the HTTP protocol (currently) requires a
  server to return multiple (overlapping) ranges; in the order requested. This
  means that one can request a very large range (e.g. from byte 0- to the end)
@@ -79, +83 @@

  
  Being able to do so is an issue for (probably all) webservers and currently
  subject of an IETF discussion to change the protocol:
+ 
+       http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
  
  This advisory details a problem with how Apache httpd and its so called
  internal 'bucket brigades' deal with serving such "valid" request. The
@@ -91, +97 @@

  ====
  
  This vulnerability has been fixed in release 2.2.20  and beyond. You are
- advised to upgrade to version 2.2.21 (or newer).
+ advised to upgrade to version 2.2.21 (or newer, or 2.0.65 once that version
+ is published).
  
  If you cannot upgrade - you can apply a Patch and recompile:
+ 
+   http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14)
+   http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19)
+   http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64)
  
  If you cannot upgrade and/or cannot apply above patches in a timely manner
  then you could consider to apply te mitigations suggested below.
@@ -152, +163 @@

            #
            RewriteEngine on
            RewriteCond %{
+ HTTP:range
  } !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
            RewriteRule .* - [F]
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message