Apache does not properly handle requests with multiple Range headers, leading to a memory exhaustion condition. The exploit was posted on full-disclosure ($URL). Upstream is discussing the issue here: http://www.gossamer-threads.com/lists/apache/dev/401638
The Debian maintainers made the patch for this bug: http://www.debian.org/security/2011/dsa-2298
Upstream has released 2.2.20. From https://www.apache.org/dist/httpd/Announcement2.2.txt: * SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714.
*** Bug 381297 has been marked as a duplicate of this bug. ***
*** Bug 368743 has been marked as a duplicate of this bug. ***
Can we please have someone from the Apache team bump the ebuild? I'd be happy to do so myself if no one has time, just let me know it's okay.
(In reply to comment #5) > Can we please have someone from the Apache team bump the ebuild? I'd be happy > to do so myself if no one has time, just let me know it's okay. As far as we are concerned, sure, go ahead.
2.2.20 is in the tree. Arch teams, please stabilize: www-servers/apache-2.2.20 app-admin/apache-tools-2.2.20
amd64: pass.
CVE-2011-3192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192): The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
Multiple compile test on my box and start restart daemon is ok. Looks perfect also on server ( hardened environment ). amd64 ok.
+ 02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-tools-2.2.20.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li" + Legler. + 02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.20.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li" + Legler.
Stable on alpha.
Stable for HPPA.
ppc/ppc64 stable
arm/ia64/s390/sh/sparc/x86 stable
Thanks, folks. Added to existing GLSA request.
apache announces that the fix is incomplete and has released 2.2.21: http://www.apache.org/dist/httpd/Announcement2.2.html
Thanks for the notice Hanno. We proceed in bug 382971.
For users who can't/won't upgrade, see http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options.
(In reply to comment #19) > For users who can't/won't upgrade, see > http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options. Specifically, you can disable range headers completely by adding: RequestHeader unset Range RequestHeader unset Request-Range Be sure to read the docs as to how this may affect clients.
This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster).
