Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Sun, 23 Jun 2002 02:06:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Joshua Lee wrote: Terry Lambert [EMAIL PROTECTED] wrote: The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. But if a client uses chunking legitimately, and does so becuase it believes it's talking to an HTTP server, you've just broken that client's ability to POST/PUT. You mean to say it believes it is talking to an HTTP 1.1 server, yes? I guess using HTTP 1.0 is a better solution then. Of course, maybe the *best* solution IMVHO would be to upgrade to the Apache version without this bug. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Why not upgrade Apache...?? Both the 1 and 2 series have been updated I think. (I'm a newbie at server stuff, so bear with me if I made a faux pas.) The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002 10:38:21 +0200 Bernd Walter [EMAIL PROTECTED] wrote: On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote: On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? It should fallback. Considering that there's a warning concerning it's use with some servers maybe it doesn't... Luckily it's not on by default. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message