httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject [users@httpd] Re: VN: VU#405811 / TN:JPCERT#96552408
Date Wed, 14 Sep 2011 16:37:06 GMT
Here are some questions posted to the security list, bcc'ing the
reporter, but perhaps of general interest.

On 9/14/2011 10:45 AM, [...] wrote:
> 
> We have noticed that official notification was released via
> mailing list.
> 
> And we have received another inquiry from a vendor and system
> administrators regarding 2.2.21 updates which you just had
> announced for official release.
> 
> Their questions are as follows:
> 
> 1. Users and system administrators have just finished updating
>    Apache 2.2.20, and now 2.2.21 was released and it seems it is
>    strongly recommended to upgrade to 2.2.21 even though they
>    had either updated to or upgraded to 2.2.20.
>    Under this circumstance, do we have to upgrade to 2.2.21
>    right away?
>    It is greatly appreciated if you could tell us any specific risks
>    which may reside in the case when users do not upgrade to 2.2.21
>    right away and keep using 2.2.20.

Quoting the advisory;

       core: Further fixes to the handling of byte-range requests to use
       less memory, to avoid denial of service. This patch includes fixes
       to the patch introduced in release 2.2.20 for protocol compliance,
       as well as the MaxRanges directive.

If there are issues observed with 2.2.20 or if protocol compliance for
range requests is desired, users are strongly encouraged to adopt 2.2.21.
Incorrect content was returned in 2.2.20 for 'bytes=-20' style requests.
Likewise, if MaxRanges directive is desired the update should be deployed.

This can be treated as any other scheduled update if 2.2.20 is already in
place, or workarounds are in place, protecting from the underlying fault.

It should be treated with higher priority if the user combines ajp: proxy
workers into a balancer: group, as noted for CVE-2011-3348.

> 2. We have found while ago that there has been UPDATE3 draft publicly
>    viewable on internet.  We compared contents of UPDATE3 draft with
>    the official UPDATE3 contents which was just officially released.
>    Our question here is
>    a)What was wrong in describing this issue in UPDATE3?

Unclear which issue?  1. above?  We can add some clarification but that
draft is already quite detailed.  They may wish to refer to

https://issues.apache.org/bugzilla/show_bug.cgi?id=51748

> 3. If there are some configurations/settings that users should be careful
> of, it is greatly appreciated if you could tell us.

Such questions should not be directed to the security list.  We have both
a users@httpd.apache.org and dev@httpd.apache.org list.  The team who
manages security@ is time-constrained and unavailable to provide 1:1
consultation on such inquiries.

That said, we would encourage all users to edit the relevant wiki draft
if they have suggestions which improve performance or correctness of the
workaround or newly introduced Range control directives.  That wiki page
link is detailed at the end of the update 3 advisory.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message