Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 380475 (CVE-2011-3192) - <www-servers/apache-2.2.20 Multiple Range header DoS (CVE-2011-3192)
Summary: <www-servers/apache-2.2.20 Multiple Range header DoS (CVE-2011-3192)
Status: RESOLVED FIXED
Alias: CVE-2011-3192
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: A3 [glsa]
Keywords:
: 368743 381297 (view as bug list)
Depends on:
Blocks: CVE-2011-1176
  Show dependency tree
 
Reported: 2011-08-24 10:35 UTC by Alex Legler (RETIRED)
Modified: 2012-06-24 14:28 UTC (History)
24 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-24 10:35:02 UTC
Apache does not properly handle requests with multiple Range headers, leading to a memory exhaustion condition. The exploit was posted on full-disclosure ($URL).

Upstream is discussing the issue here: http://www.gossamer-threads.com/lists/apache/dev/401638
Comment 1 János Csárdi-Braunstein 2011-08-30 09:52:20 UTC
The Debian maintainers made the patch for this bug: http://www.debian.org/security/2011/dsa-2298
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-08-30 21:47:06 UTC
Upstream has released 2.2.20. From https://www.apache.org/dist/httpd/Announcement2.2.txt:

     * SECURITY: CVE-2011-3192 (cve.mitre.org)
       core: Fix handling of byte-range requests to use less memory, to avoid
       denial of service. If the sum of all ranges in a request is larger than
       the original file, ignore the ranges and send the complete file.
       PR 51714.
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-31 14:04:05 UTC
*** Bug 381297 has been marked as a duplicate of this bug. ***
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-09-01 06:22:24 UTC
*** Bug 368743 has been marked as a duplicate of this bug. ***
Comment 5 Dirkjan Ochtman gentoo-dev 2011-09-01 06:57:28 UTC
Can we please have someone from the Apache team bump the ebuild? I'd be happy to do so myself if no one has time, just let me know it's okay.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-09-01 07:45:13 UTC
(In reply to comment #5)
> Can we please have someone from the Apache team bump the ebuild? I'd be happy
> to do so myself if no one has time, just let me know it's okay.

As far as we are concerned, sure, go ahead.
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2011-09-01 17:52:43 UTC
2.2.20 is in the tree. Arch teams, please stabilize:

www-servers/apache-2.2.20
app-admin/apache-tools-2.2.20
Comment 8 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-01 18:39:13 UTC
amd64: pass.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-09-01 18:49:20 UTC
CVE-2011-3192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192):
  The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64,
  and 2.2.x through 2.2.19 allows remote attackers to cause a denial of
  service (memory and CPU consumption) via a Range header that expresses
  multiple overlapping ranges, as exploited in the wild in August 2011, a
  different vulnerability than CVE-2007-0086.
Comment 10 Agostino Sarubbo gentoo-dev 2011-09-01 19:21:56 UTC
Multiple compile test on my box and start restart daemon is ok. Looks perfect also on server ( hardened environment ).

amd64 ok.
Comment 11 Tony Vroon gentoo-dev 2011-09-02 09:09:05 UTC
+  02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-tools-2.2.20.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li"
+  Legler.

+  02 Sep 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.20.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #380475 filed by Alex "a3li"
+  Legler.
Comment 12 Tobias Klausmann gentoo-dev 2011-09-02 09:36:26 UTC
Stable on alpha.
Comment 13 Jeroen Roovers gentoo-dev 2011-09-02 17:09:37 UTC
Stable for HPPA.
Comment 14 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-03 08:28:45 UTC
ppc/ppc64 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2011-09-03 13:37:47 UTC
arm/ia64/s390/sh/sparc/x86 stable
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 00:25:23 UTC
Thanks, folks. Added to existing GLSA request.
Comment 17 Hanno Böck gentoo-dev 2011-09-14 13:25:24 UTC
apache announces that the fix is incomplete and has released 2.2.21:
http://www.apache.org/dist/httpd/Announcement2.2.html
Comment 18 Agostino Sarubbo gentoo-dev 2011-09-14 16:13:55 UTC
Thanks for the notice Hanno.

We proceed in bug 382971.
Comment 19 Steve Dibb (RETIRED) gentoo-dev 2011-10-14 17:05:03 UTC
For users who can't/won't upgrade, see http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options.
Comment 20 Steve Dibb (RETIRED) gentoo-dev 2011-10-14 17:06:04 UTC
(In reply to comment #19)
> For users who can't/won't upgrade, see
> http://httpd.apache.org/security/CVE-2011-3192.txt for some mitigation options.

Specifically, you can disable range headers completely by adding:

RequestHeader unset Range
RequestHeader unset Request-Range

Be sure to read the docs as to how this may affect clients.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:28:51 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).