On Sun, 23 Jun 2002, Joshua Lee wrote:
> On Thu, 20 Jun 2002 19:59:20 -0700 > Terry Lambert <[EMAIL PROTECTED]> wrote: > > > Patrick Thomas wrote: > > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > > > system is no longer vulnerable to the "chunking" attack, even if you are > > > still running a vulnerable apache ? > > > > Not FreeBSD, but it's possible to reconfigure Apache. > > > > The way you would deal with this would be to tell Apache that it > > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > I've found a better solution! On today's freshports there is something > called mod_blowchunks :-) If installed, it will reject chunking and log > it. This is an alternative to upgrading Apache. Given the place the problem occurs: I'd be weary of such solutions. Apaceh's myrad of config abilities are second only to sendmail - and it is easy to let a certain case slip through. If nessesary simply do a 'cvs diff' on apache it's cvs (dev.apache.org for anon access; I am willing to work with BSD developers to help if needed) to see the relatively few lines of code which are an issue - and which can be backported easily. Dw To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
