Carlos Alberto Lopez Perez wrote:
The new advisory [1] recommends this:
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop
Hallo
Word is spreading that Request-Range: seems to be a synonym to Range: and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch again! :-(
tschüss,
-christian-
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
On 26/08/11 11:17, Christian Hammers wrote:
Hallo
Word is spreading that Request-Range: seems to be a synonym to Range: and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch again! :-(
Confirmed!.
Just modified the suggest
On 26/08/11 8:52 PM, Carlos Alberto Lopez Perez wrote:
On 26/08/11 11:17, Christian Hammers wrote:
Hallo
Word is spreading that Request-Range: seems to be a synonym to Range: and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch
On 26 aug. 2011, at 13:22, linbloke wrote:
I'm curious as to why you suggest option 2 over option 1 from the Apache
advisory? My guess is that it is compatible with version 1.3 and 2.x and that
is has stronger enforcement of the syntax (by requiring ^bytes=) rather than
just 5 comma
On 26/08/11 13:22, linbloke wrote:
Hello,
I'm curious as to why you suggest option 2 over option 1 from the Apache
advisory? My guess is that it is compatible with version 1.3 and 2.x and
that is has stronger enforcement of the syntax (by requiring ^bytes=)
rather than just 5 comma
On 24/08/11 08:53 +0200, Dirk Hartmann wrote:
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
Hi,
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
http://www.gossamer-threads.com/lists/apache/dev/401638
But because the situation seems
On 24/08/11 08:53, Dirk Hartmann wrote:
Hi,
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
2011/8/24 Carlos Alberto Lopez Perez clo...@igalia.com
On 24/08/11 08:53, Dirk Hartmann wrote:
Hi,
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working
On 24/08/11 12:45, Andrea Zwirner wrote:
2011/8/24 Carlos Alberto Lopez Perez clo...@igalia.com
On 24/08/11 08:53, Dirk Hartmann wrote:
Hi,
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
Hi,
Carlos Alberto Lopez Perez wrote:
You can use the following redirect as a temporally workaround:
# a2enmod rewrite
RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
Would that work for all websites of a Debian server if placed
On 24/08/11 12:13, Carlos Alberto Lopez Perez wrote:
You can use the following redirect as a temporally workaround:
# a2enmod rewrite
RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
Sorry, the above redirect is wrong. It won't
On 24/08/11 14:12, Andrew McGlashan wrote:
Would that work for all websites of a Debian server if placed into a
file located in /etc/apache2/conf.d ?
Will other rewrites will be fine in the normal conf files for each website?
Thanks
It should not mess with another redirects that you
14 matches
Mail list logo
