Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: docs@httpd.apache.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Apache Wiki <wikidiffs@apache.org>
To: Apache Wiki <wikidiffs@apache.org>
Date: Mon, 12 Sep 2011 09:28:05 -0000
Message-ID: <20110912092805.71728.81897@eos.apache.org>
Subject: =?utf-8?q?=5BHttpd_Wiki=5D_Update_of_=22CVE-2011-3192=22_by_wrowe?=
Auto-Submitted: auto-generated

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for cha=
nge notification.

The "CVE-2011-3192" page has been changed by wrowe:
http://wiki.apache.org/httpd/CVE-2011-3192?action=3Ddiff&rev1=3D8&rev2=3D9

  Last Change: 20110831 1800Z
  Date:        20110824 1600Z
  Product:     Apache HTTPD Web Server
- Versions:    Apache 2.0 - all versions prior to 2.2.20;
+ Versions:    Apache 2.0 - all versions prior to 2.2.20 and prior to 2.0.65
               Apache 1.3 is NOT vulnerable.
  =

  Changes since last update
@@ -41, +41 @@

  The attack can be done remotely and with a modest number of requests can
  cause very significant memory and CPU usage on the server.
  =

- The default Apache HTTPD installations version 2.0 and 2.2 prior to
+ The default Apache httpd installations version 2.0 prior to 2.0.65 and =

- 2.2.20 are vulnerable.
+ version 2.2 prior to 2.2.20 are vulnerable.
  =

  Apache 2.2.20 does fix this issue; however with a number of side effects
- (see release notes). Version 2.2.21 xxx
+ (see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20,
+ and also introduces the MaxRanges directive.
+ =

+ Version 2.0.65 has not been released, but will include this fix, and is
+ anticipated in September.
  =

  Apache 1.3
  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
@@ -141, +145 @@

  1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
     either ignore the Range: header or reject the request.
  =

-    Option 1: (Apache 2.2)
+    Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)
  =

            # Drop the Range header when more than 5 ranges.
            # CVE-2011-3192
@@ -160, +164 @@

     mod_cache and (language) modules may act before the 'unset'
     is executed upon during the 'fixup' phase.
  =

-    Option 2: (Pre 2.2)
+    Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)
  =

            # Reject request when more than 5 ranges in the Range: header.
            # CVE-2011-3192
@@ -199, +203 @@

  =

  4) Deploy a Range header count module as a temporary stopgap measure.
  =

+    A stop-gap module which is runtime-configurable can be found at:
+ =

-      http://people.apache.org/~dirkx/mod_rangecnt-improved/
+      http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
- =

-    An improved stop-gap module for the 2.x series was provided by
-    Guenter Knauf and can be found at:
+  =

+    A simpler stop-gap module which requires compile-time configuration =

+    is also available:
  =

       http://people.apache.org/~dirkx/mod_rangecnt.c
  =

@@ -232, +238 @@

  Apache HTTPD users who are concerned about a DoS attack against their ser=
ver
  should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available),
  2) if not possible - apply the provided patches or 3) consider implementi=
ng
- any of the above mitigations immediately.
+ any of the above mitigation immediately.
  =

  When using a third party attack tool to verify vulnerability - note that =
most
  of the versions in the wild currently check for the presence of mod_defla=
te;

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org