Note some additional improvements for a 'final' update 3 advisory... We aught to mention that mod_header or mod_rewrite and mod_setenvif are required for their respective workarounds, this apparently confuses some beginning users.
We aught to mention that backend/application servers are not protected from odd Range: constructs passed through mod_proxy. We aught to add the release 2.2.20 as solution #1. We aught to add reference to patches published at; http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ We must advise that 1.3 is not affected, per our further research, although we can note that the default configuration (MaxClients etc) may already be inappropriate in any number of distributions, and remind administrators to tune their configuration to gracefully handle the maximum volume of requests.
