That is fine - we can do another update tomorrow, say noon zulu - if we expect
that we do not have a proper patch and/or a 2.0.65 / 2.2.20 in the day
following.
Weird though - my 2.0.61 and 64 does seem fine. So probably very early 2.0
series.
Dw
On 24 Aug 2011, at 20:40, Eric Covener wrote:
> I'm seeing Apache 2.0 doesn't accept our RequestHeader syntax due to a
> defect, it misinterprets it as a value and fails startup.
>
> If we have the opportunity to amend, I think we need to suggest the
> rewrite flavor for Apache 2.0 and earlier, not just 1.3 and earlier.
>
> Also for 1.3, is our RE safe for non-PCRE? And should we reconsider
> the "5" for something more liberal?
>
>> Option 1: (Apache 2.0 and 2.2)
>>
>> # drop Range header when more than 5 ranges.
>> # CVE-2011-3192
>> SetEnvIf Range (,.*?){5,} bad-range=1
>> RequestHeader unset Range env=bad-range
>>
>> # optional logging.
>> CustomLog logs/range-CVE-2011-3192.log common env=bad-range
>>
>> Option 2: (Also for Apache 1.3)
>>
>> # Reject request when more than 5 ranges in the Range: header.
>> # CVE-2011-3192
>> #
>> RewriteEngine on
>> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
>> RewriteRule .* - [F]
>
