[Fwd: Apache 1.* and 2.* vulnerability]

In case you haven't already heard: ----- Forwarded message from Jan Henkins ----- Hello there, Forwarding this to official support due to it's importance (should have done this earlier!). Please pass this on to the Bitfolk list! Since I've sent the below message, I have found a mitigation strategy for Debian: 1) Create /etc/apache2/conf.d/setenvif with the following content: ---star--- <IfModule mod_setenvif.c> # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range # optional logging. CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range </IfModule> ---end--- Be advised that the above should not work out of the box, since "headers" module was not enabled by default (this could be the actual Debian and Ubuntu standard). 2) Enable the headers and rewrite modules: a2enmod headers a2enmod rewrite 3) Restart apache ---------------------------- Original Message ---------------------------- Subject: Apache 1.* and 2.* vulnerability From: "Jan Henkins" Date: Thu, August 25, 2011 11:00 -------------------------------------------------------------------------- Hello Andy, Sorry for not posting this to the Bitfolk list directly, I'm on my web-mail (didn't put the mailing list address in my address book), so please consider passing this on. Yesterday a nasty Apache DoS vuln was released. So far all versions of Apache is affected by this. Here are some advisories: RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=732928 Debian: https://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C201… While I have not managed to work out a mitigation strategy for Ubuntu/Debian servers, the following works rather nicely on RHEL5 and RHEL6 (so could be good to go for CentOS too): Create /etc/httpd/conf.d/setenvif.conf with the following: <IfModule mod_setenvif.c> # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range # optional logging. CustomLog /your/log/dir/range-CVE-2011-3192.log common env=bad-range </IfModule> Restart apache That should do it nicely! :-) More reading here: http://eromang.zataz.com/2011/08/24/cve-2011-3192-apache-httpd-killer-remot… Please pass on to the Bitfolk community at your discretion. -- Regards, Jan Henkins -- Regards, Jan Henkins