httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CVE-2011-3192" by wrowe
Date Fri, 09 Sep 2011 16:00:24 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CVE-2011-3192" page has been changed by wrowe:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=4&rev2=5

  
  Changes since last update
  =========================
- 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable. 
+ 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable.
- Further regex/rule improvements.  Explained DoS.  Added wiki link.  
+ Further regex/rule improvements.  Explained DoS.  Added wiki link.
  Highlight fact that LimitRequestFieldSize workaround was insufficient.
  
  Changes since update 1
@@ -33, +33 @@

  overlapping ranges are handled by the Apache HTTPD server prior to version
  2.2.20:
  
-      http://seclists.org/fulldisclosure/2011/Aug/175 
+      http://seclists.org/fulldisclosure/2011/Aug/175
  
  An attack tool is circulating in the wild. Active use of this tool has
  been observed.
@@ -74, +74 @@

  and resolved with this server side fix. The other issue is fundamentally a
  protocol design issue dating back to 2007:
  
-       http://seclists.org/bugtraq/2007/Jan/83 
+       http://seclists.org/bugtraq/2007/Jan/83
  
  The contemporary interpretation of the HTTP protocol (currently) requires a
  server to return multiple (overlapping) ranges; in the order requested. This
@@ -162, +162 @@

            # CVE-2011-3192
            #
            RewriteEngine on
+           RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
-           RewriteCond %{
- HTTP:range
- } !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
            RewriteRule .* - [F]
  
            # We always drop Request-Range; as this is a legacy
@@ -221, +219 @@

  ========
  
  Apache HTTPD users who are concerned about a DoS attack against their server
- should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), 
+ should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available),
- 2) if not possible - apply the provided patches or 3) consider implementing 
+ 2) if not possible - apply the provided patches or 3) consider implementing
  any of the above mitigations immediately.
  
  When using a third party attack tool to verify vulnerability - note that most
@@ -234, +232 @@

  Planning:
  =========
  
- No further advisory email announcements are planned. However we will track 
+ No further advisory email announcements are planned. However we will track
  minor refinements of this advisory at;
  
    http://httpd.apache.org/security/CVE-2011-3192.txt
@@ -243, +241 @@

  specific complications of these fixes will be tracked at;
  
    http://wiki.apache.org/httpd/CVE-2011-3192
- 
  }}}
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message