On Mon, Aug 29, 2011 at 4:38 PM, William A. Rowe Jr. <[email protected]>wrote:
> On 8/29/2011 10:40 AM, [email protected] wrote: > > Author: jim > > Date: Mon Aug 29 15:40:19 2011 > > New Revision: 1162874 > > > > Changes with Apache 2.2.20 > > > > + *) SECURITY: CVE-2011-3192 (cve.mitre.org) > > + core: Fix handling of byte-range requests to use less memory, to > avoid > > + denial of service. If the sum of all ranges in a request is larger > than > > + the original file, ignore the ranges and send the complete file. > > + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric > Covener] > > The later sentence is clearly no protection against the flaw if the server > offers huge resources, such as .iso's, larger packages or large pdfs. Also > we have handlers which aren't going to indicate a C-L. It would seem that > the first sentence is comprehensive enough to flag as -3192, and the later > is a bug fix, but not really part of a security solution. > > the 2.2.x fix has no dependency on the handler setting a Content-Length. "original file" is the sum of lengths of all the buckets prior to the EOS. if the handler is streaming or otherwise doesn't have an EOS, you get a 200 before or after the fix. Greg
