httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CVE-2011-3192" by wrowe
Date Mon, 12 Sep 2011 09:28:05 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CVE-2011-3192" page has been changed by wrowe:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=8&rev2=9

  Last Change: 20110831 1800Z
  Date:        20110824 1600Z
  Product:     Apache HTTPD Web Server
- Versions:    Apache 2.0 - all versions prior to 2.2.20;
+ Versions:    Apache 2.0 - all versions prior to 2.2.20 and prior to 2.0.65
               Apache 1.3 is NOT vulnerable.
  
  Changes since last update
@@ -41, +41 @@

  The attack can be done remotely and with a modest number of requests can
  cause very significant memory and CPU usage on the server.
  
- The default Apache HTTPD installations version 2.0 and 2.2 prior to
+ The default Apache httpd installations version 2.0 prior to 2.0.65 and 
- 2.2.20 are vulnerable.
+ version 2.2 prior to 2.2.20 are vulnerable.
  
  Apache 2.2.20 does fix this issue; however with a number of side effects
- (see release notes). Version 2.2.21 xxx
+ (see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20,
+ and also introduces the MaxRanges directive.
+ 
+ Version 2.0.65 has not been released, but will include this fix, and is
+ anticipated in September.
  
  Apache 1.3
  ==========
@@ -141, +145 @@

  1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
     either ignore the Range: header or reject the request.
  
-    Option 1: (Apache 2.2)
+    Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)
  
            # Drop the Range header when more than 5 ranges.
            # CVE-2011-3192
@@ -160, +164 @@

     mod_cache and (language) modules may act before the 'unset'
     is executed upon during the 'fixup' phase.
  
-    Option 2: (Pre 2.2)
+    Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)
  
            # Reject request when more than 5 ranges in the Range: header.
            # CVE-2011-3192
@@ -199, +203 @@

  
  4) Deploy a Range header count module as a temporary stopgap measure.
  
+    A stop-gap module which is runtime-configurable can be found at:
+ 
-      http://people.apache.org/~dirkx/mod_rangecnt-improved/
+      http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
- 
-    An improved stop-gap module for the 2.x series was provided by
-    Guenter Knauf and can be found at:
+  
+    A simpler stop-gap module which requires compile-time configuration 
+    is also available:
  
       http://people.apache.org/~dirkx/mod_rangecnt.c
  
@@ -232, +238 @@

  Apache HTTPD users who are concerned about a DoS attack against their server
  should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available),
  2) if not possible - apply the provided patches or 3) consider implementing
- any of the above mitigations immediately.
+ any of the above mitigation immediately.
  
  When using a third party attack tool to verify vulnerability - note that most
  of the versions in the wild currently check for the presence of mod_deflate;

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message