Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by wrowe: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=6&rev2=7 Comment: several grammatical and time clarifications This vulnerability concerns a 'Denial of Service' attack. This means that a remote attacker, under the right circumstances, is able to slow your - service or server down to a craw. Leaving it unable to serve legitimate - clients in a timely manner. + service or server down to a crawl or exhausting memory available to serve + requests, leaving it unable to serve legitimate clients in a timely manner. There are no indications that this leads to a remote exploit; where a third party can compromise your security and gain foothold of the server itself. The result of this vulnerability is purely one of denying service - by grinding your server down to an halt. + by grinding your server down to a halt and refusing additional connections + to the server. Background and the 2007 report ============================== @@ -96, +97 @@ FIX ==== - This vulnerability has been fixed in release 2.2.20 and beyond. You are + This vulnerability has been fixed in release 2.2.20 and further corrected - advised to upgrade to version 2.2.21 (or newer, or 2.0.65 once that version - is published). + in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the + legacy 2.0.65 release, once these are published. The 2.2.21 package is + currently undergoing review, and a 2.0.65 package is also expected during + this month. - If you cannot upgrade - you can apply a Patch and recompile: + If you cannot upgrade, or cannot wait to upgrade - you can apply the + appropriate source code patch and recompile a recent existing version; http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19) http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64) If you cannot upgrade and/or cannot apply above patches in a timely manner - then you could consider to apply te mitigations suggested below. + then you should consider to apply one or more of the mitigation suggested below. CAVEATS ======= --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
