Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by wrowe: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=4&rev2=5 Changes since last update ========================= - 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable. + 2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable. - Further regex/rule improvements. Explained DoS. Added wiki link. + Further regex/rule improvements. Explained DoS. Added wiki link. Highlight fact that LimitRequestFieldSize workaround was insufficient. Changes since update 1 @@ -33, +33 @@ overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20: - http://seclists.org/fulldisclosure/2011/Aug/175 + http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tool has been observed. @@ -74, +74 @@ and resolved with this server side fix. The other issue is fundamentally a protocol design issue dating back to 2007: - http://seclists.org/bugtraq/2007/Jan/83 + http://seclists.org/bugtraq/2007/Jan/83 The contemporary interpretation of the HTTP protocol (currently) requires a server to return multiple (overlapping) ranges; in the order requested. This @@ -162, +162 @@ # CVE-2011-3192 # RewriteEngine on + RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC] - RewriteCond %{ - HTTP:range - } !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC] RewriteRule .* - [F] # We always drop Request-Range; as this is a legacy @@ -221, +219 @@ ======== Apache HTTPD users who are concerned about a DoS attack against their server - should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), + should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available), - 2) if not possible - apply the provided patches or 3) consider implementing + 2) if not possible - apply the provided patches or 3) consider implementing any of the above mitigations immediately. When using a third party attack tool to verify vulnerability - note that most @@ -234, +232 @@ Planning: ========= - No further advisory email announcements are planned. However we will track + No further advisory email announcements are planned. However we will track minor refinements of this advisory at; http://httpd.apache.org/security/CVE-2011-3192.txt @@ -243, +241 @@ specific complications of these fixes will be tracked at; http://wiki.apache.org/httpd/CVE-2011-3192 - }}} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
