In case you haven't already heard:
----- Forwarded message from Jan Henkins -----
Hello there,
Forwarding this to official support due to it's importance (should have
done this earlier!). Please pass this on to the Bitfolk list!
Since I've sent the below message, I have found a mitigation strategy for
Debian:
1) Create /etc/apache2/conf.d/setenvif with the following content:
---star---
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common
env=bad-range
</IfModule>
---end---
Be advised that the above should not work out of the box, since "headers"
module was not enabled by default (this could be the actual Debian and
Ubuntu standard).
2) Enable the headers and rewrite modules:
a2enmod headers
a2enmod rewrite
3) Restart apache
---------------------------- Original Message ----------------------------
Subject: Apache 1.* and 2.* vulnerability
From: "Jan Henkins"
Date: Thu, August 25, 2011 11:00
--------------------------------------------------------------------------
Hello Andy,
Sorry for not posting this to the Bitfolk list directly, I'm on my
web-mail (didn't put the mailing list address in my address book), so
please consider passing this on.
Yesterday a nasty Apache DoS vuln was released. So far all versions of
Apache is affected by this. Here are some advisories:
RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=732928
Debian:
https://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C201…
While I have not managed to work out a mitigation strategy for
Ubuntu/Debian servers, the following works rather nicely on RHEL5 and
RHEL6 (so could be good to go for CentOS too):
Create /etc/httpd/conf.d/setenvif.conf with the following:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog /your/log/dir/range-CVE-2011-3192.log common
env=bad-range
</IfModule>
Restart apache
That should do it nicely! :-)
More reading here:
http://eromang.zataz.com/2011/08/24/cve-2011-3192-apache-httpd-killer-remot…
Please pass on to the Bitfolk community at your discretion.
--
Regards,
Jan Henkins
--
Regards,
Jan Henkins
Hi,
We've had reports that the password reset feature of the panel is
broken at the moment.
Some new code was pushed live a few days ago and this obviously got
past testing. I am working on fixing this as a top priority, but in
the mean time if you do require a password reset please:
1. Check to see if we've fixed it yet
2. If not, contact support@ requesting reset
3. Use phone if urgent and you haven't received confirmation that
it's been done yet
I do expect it to be fixed today.
https://tools.bitfolk.com/redmine/issues/80
Apologies for the inconvenience.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
With immediate effect we are moving to a calendar monthly /
quarterly / yearly billing cycle instead of a rigid 30 / 90 / 360
day cycle.
This was requested in:
https://tools.bitfolk.com/redmine/issues/13
You do not need to take any action. You will effectively get 5 or 6
days of additional service per year compared to before.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
