Summary: | <www-servers/apache-2.2.20 Multiple Range header DoS (CVE-2011-3192) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | andreasoehler, apache-bugs, cilly, Dessa, djc, erwan, gentoo, glua, himbeere, idl0r, jaak, jan, janos, kacarstensen, karl, mno2go, nabeken, naota, nirbheek, pva, rajiv, themidnightoker, tobias.pal, voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2011/Aug/175 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 360787 |
Description
Alex Legler (RETIRED)
2011-08-24 10:35:02 UTC
The Debian maintainers made the patch for this bug: http://www.debian.org/security/2011/dsa-2298 Upstream has released 2.2.20. From https://www.apache.org/dist/httpd/Announcement2.2.txt: * SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. *** Bug 381297 has been marked as a duplicate of this bug. *** *** Bug 368743 has been marked as a duplicate of this bug. *** Can we please have someone from the Apache team bump the ebuild? I'd be happy to do so myself if no one has time, just let me know it's okay. (In reply to comment #5) > Can we please have someone from the Apache team bump the ebuild? I'd be happy > to do so myself if no one has time, just let me know it's okay. As far as we are concerned, sure, go ahead. 2.2.20 is in the tree. Arch teams, please stabilize: www-servers/apache-2.2.20 app-admin/apache-tools-2.2.20 amd64: pass. CVE-2011-3192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192): The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Multiple compile test on my box and start restart daemon is ok. Looks perfect also on server ( hardened environment ). amd64 ok. + 02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-tools-2.2.20.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li" + Legler. + 02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.20.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li" + Legler. Stable on alpha. Stable for HPPA. ppc/ppc64 stable arm/ia64/s390/sh/sparc/x86 stable Thanks, folks. Added to existing GLSA request. apache announces that the fix is incomplete and has released 2.2.21: http://www.apache.org/dist/httpd/Announcement2.2.html Thanks for the notice Hanno. We proceed in bug 382971. For users who can't/won't upgrade, see http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options. (In reply to comment #19) > For users who can't/won't upgrade, see > http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options. Specifically, you can disable range headers completely by adding: RequestHeader unset Range RequestHeader unset Request-Range Be sure to read the docs as to how this may affect clients. This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster). |