Folks - as we're not quit there yet - I want to do sent out an updated advisory
at 11:00 UTC. We have enough new information and extra mitigations. Will post
the draft(s) to security@ this time.
Secondly - I got below updates to the regex-es; to optimise the pcre
expressions and remove the exhaustive match:
from
SetEnvIf Range (,.*?){5,} bad-range=1
to
SetEnvIf Range (?:,.*?){5,} bad-range=1
from:
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
to:
RewriteCond %{HTTP:range} !(?:^bytes=[^,]+(?:,[^,]+){0,4}$|^$)
Please pipe up if you see issues with those,
Thanks
Dw.
PS: Committers - if you are not subscribed to security@ - now is a good time :)
