httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Frantz" <rfra...@acclamation.com>
Subject Re: Disable support for Chunked Encoding? (SECURITY FLAW announced yesterday)
Date Tue, 18 Jun 2002 15:18:15 GMT
Anyone know where one can find the 1.3.25 source that the CERT advisory said
is available?  I can't seem to find it at apache.org or it's mirrors.


----- Original Message -----
From: barryc <barryc@rjlsystems.com>
To: Barry Callahan <barryc@rjlsystems.com>; <users@httpd.apache.org>
Sent: Tuesday, June 18, 2002 11:15 AM
Subject: Disable support for Chunked Encoding? (SECURITY FLAW announced
yesterday)


> The people at Apache have announced that there is a bug in the code which
> handles requests in "chunked encoding" which can, in certain
configurations,
> be used for a denial-of-service attack, or allow people to execute
arbitrary
> code on your server.  All versions of Apache 1.3 - 1.3.24 and 2.0 - 2.0.36
> are affected, at least according to CERT advisory CA-2002-17.
>
> Here is the link to their announcement:
> http://httpd.apache.org/info/security_bulletin_20020617.txt
>
> The first paragraph of the Description section follows:
>
> "Versions of the Apache web server up to and including 1.3.24 and 2.0 up
to
> and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
> which deal with invalid requests which are encoded using chunked encoding.
> This bug can be triggered remotely by sending a carefully crafted invalid
> request. This functionality is enabled by default."
>
> That last sentence would imply that support for chunked encoding can be
> disabled, but as yet I've been unable to figure out how.  It doesn't seem
to
> be documented anywhere.
>
> Is disabling Chunked Encoding a BAD IDEA?
> The Apache announcement later states that they're working on a fix, but if
> there's a workaround that can be done in the meantime, I'd feel a lot
> better.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message