Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by RobertPattinson: http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=13&rev2=14 The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. - The default Apache httpd installations version 2.0 prior to 2.0.65 and + The default Apache httpd installations version 2.0 prior to 2.0.65 and version 2.2 prior to 2.2.20 are vulnerable. Apache 2.2.20 does fix this issue; however with a number of side effects @@ -111, +111 @@ in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the legacy 2.0.65 release, once this is published (anticipated in September). - If you cannot upgrade, or cannot wait to upgrade - you can apply the + If you cannot upgrade, or cannot wait to upgrade - you can apply the appropriate source code patch and recompile a recent existing version; http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) @@ -210, +210 @@ A stop-gap module which is runtime-configurable can be found at: http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/ - + - A simpler stop-gap module which requires compile-time configuration + A simpler stop-gap module which requires compile-time configuration is also available: http://people.apache.org/~dirkx/mod_rangecnt.c @@ -258, +258 @@ of the versions in the wild currently check for the presence of mod_deflate; and will (mis)report that your server is not vulnerable if this module is not present. This vulnerability is not dependent on presence or absence of - that module. + that module.[ - - Planning: - ========= - - No further advisory email announcements are planned. However we will track - minor refinements of this advisory at; - - http://httpd.apache.org/security/CVE-2011-3192.txt - - Further recommendations and discussion on workarounds, or user-agent - specific complications of these fixes will be tracked at; - - http://wiki.apache.org/httpd/CVE-2011-3192 }}} + == . == --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
