Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by wrowe: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=3&rev2=4 overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20: + http://seclists.org/fulldisclosure/2011/Aug/175 + An attack tool is circulating in the wild. Active use of this tool has been observed. @@ -72, +74 @@ and resolved with this server side fix. The other issue is fundamentally a protocol design issue dating back to 2007: + http://seclists.org/bugtraq/2007/Jan/83 + The contemporary interpretation of the HTTP protocol (currently) requires a server to return multiple (overlapping) ranges; in the order requested. This means that one can request a very large range (e.g. from byte 0- to the end) @@ -79, +83 @@ Being able to do so is an issue for (probably all) webservers and currently subject of an IETF discussion to change the protocol: + + http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311 This advisory details a problem with how Apache httpd and its so called internal 'bucket brigades' deal with serving such "valid" request. The @@ -91, +97 @@ ==== This vulnerability has been fixed in release 2.2.20 and beyond. You are - advised to upgrade to version 2.2.21 (or newer). + advised to upgrade to version 2.2.21 (or newer, or 2.0.65 once that version + is published). If you cannot upgrade - you can apply a Patch and recompile: + + http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) + http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19) + http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64) If you cannot upgrade and/or cannot apply above patches in a timely manner then you could consider to apply te mitigations suggested below. @@ -152, +163 @@ # RewriteEngine on RewriteCond %{ + HTTP:range } !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC] RewriteRule .* - [F] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
