On 8/29/2011 3:48 PM, Stefan Fritsch wrote: > On Mon, 29 Aug 2011, William A. Rowe Jr. wrote: > >> On 8/29/2011 10:40 AM, [email protected] wrote: >>> Author: jim >>> Date: Mon Aug 29 15:40:19 2011 >>> New Revision: 1162874 >>> >>> Changes with Apache 2.2.20 >>> >>> + *) SECURITY: CVE-2011-3192 (cve.mitre.org) >>> + core: Fix handling of byte-range requests to use less memory, to avoid >>> + denial of service. If the sum of all ranges in a request is larger >>> than >>> + the original file, ignore the ranges and send the complete file. >>> + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric >>> Covener] >> >> The later sentence is clearly no protection against the flaw if the server >> offers huge resources, such as .iso's, larger packages or large pdfs. Also >> we have handlers which aren't going to indicate a C-L. It would seem that >> the first sentence is comprehensive enough to flag as -3192, and the later >> is a bug fix, but not really part of a security solution. > > I have included the second part because it is related to the 0-,0-,0-,... > issue > (http://seclists.org/bugtraq/2007/Jan/83). But it really has nothing to do > with > CVE-2011-3192. Feel free to rephrase/remove/split into two entries/...
+1 to split them into two different changes.
