On 8/29/2011 10:40 AM, [email protected] wrote: > Author: jim > Date: Mon Aug 29 15:40:19 2011 > New Revision: 1162874 > > Changes with Apache 2.2.20 > > + *) SECURITY: CVE-2011-3192 (cve.mitre.org) > + core: Fix handling of byte-range requests to use less memory, to avoid > + denial of service. If the sum of all ranges in a request is larger than > + the original file, ignore the ranges and send the complete file. > + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
The later sentence is clearly no protection against the flaw if the server offers huge resources, such as .iso's, larger packages or large pdfs. Also we have handlers which aren't going to indicate a C-L. It would seem that the first sentence is comprehensive enough to flag as -3192, and the later is a bug fix, but not really part of a security solution.
