Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by wrowe: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=2&rev2=3 Changes since last update ========================= - 2.2.20 has a fix. 2.2.21 a bitter on. 1.3. not vulnerable. Further regex/rule - improments. 1.3 support stopgap module. Explain DoS. Reduce severity for 1.3. + 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable. + Further regex/rule improvements. Explained DoS. Added wiki link. - Added wiki link. Highlight fact that LimitRequestFieldSize is not sufficient. + Highlight fact that LimitRequestFieldSize workaround was insufficient. Changes since update 1 ========================= @@ -120, +120 @@ 2-3 and MSIE 3. Depending on your user community - it is likely that you can use option '3' safely for this older 'Request-Range'. + 0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most - 0) Consult - for more recent - information (as this is the final advisory). + recent information (as this is the final advisory). 1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request. @@ -191, +190 @@ Note ==== - Earlier advisories suggested theuse of LimitRequestFieldSize. This method is + Earlier advisories suggested the use of LimitRequestFieldSize. This mitigation - not fully effective and can by bypassed by splitting the attack vector up + was not fully effective and can by bypassed by splitting the attack vector up across multiple headers. Therefore you should not rely on LimitRequestFieldSize alone. @@ -210, +209 @@ ======== Apache HTTPD users who are concerned about a DoS attack against their server - should 1) upgrade to version 2.2.20, 2) if not possible - apply the provided - patches or 3) consider implementing any of the above mitigations immediately. + should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), + 2) if not possible - apply the provided patches or 3) consider implementing + any of the above mitigations immediately. When using a third party attack tool to verify vulnerability - note that most of the versions in the wild currently check for the presence of mod_deflate; @@ -222, +222 @@ Planning: ========= - No further advisories are planned. However we will track information at + No further advisory email announcements are planned. However we will track + minor refinements of this advisory at; + + http://httpd.apache.org/security/CVE-2011-3192.txt + + Further recommendations and discussion on workarounds, or user-agent + specific complications of these fixes will be tracked at; + + http://wiki.apache.org/httpd/CVE-2011-3192 + }}} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
