On Mon, 29 Aug 2011, William A. Rowe Jr. wrote:
On 8/29/2011 10:40 AM, [email protected] wrote:
Author: jim
Date: Mon Aug 29 15:40:19 2011
New Revision: 1162874
Changes with Apache 2.2.20
+ *) SECURITY: CVE-2011-3192 (cve.mitre.org)
+ core: Fix handling of byte-range requests to use less memory, to avoid
+ denial of service. If the sum of all ranges in a request is larger than
+ the original file, ignore the ranges and send the complete file.
+ PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
The later sentence is clearly no protection against the flaw if the server
offers huge resources, such as .iso's, larger packages or large pdfs. Also
we have handlers which aren't going to indicate a C-L. It would seem that
the first sentence is comprehensive enough to flag as -3192, and the later
is a bug fix, but not really part of a security solution.
I have included the second part because it is related to the 0-,0-,0-,...
issue (http://seclists.org/bugtraq/2007/Jan/83). But it really has nothing
to do with CVE-2011-3192. Feel free to rephrase/remove/split into two
entries/...
