25 Aug
2011
25 Aug
'11
4:06 p.m.
In case you haven't already heard:
----- Forwarded message from Jan Henkins -----
Hello there,
Forwarding this to official support due to it's importance (should have
done this earlier!). Please pass this on to the Bitfolk list!
Since I've sent the below message, I have found a mitigation strategy for
Debian:
1) Create /etc/apache2/conf.d/setenvif with the following content:
---star---
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common
env=bad-range
</IfModule>
---end---
Be advised that the above should not work out of the box, since "headers"
module was not enabled by default (this could be the actual Debian and
Ubuntu standard).
2) Enable the headers and rewrite modules:
a2enmod headers
a2enmod rewrite
3) Restart apache
---------------------------- Original Message ----------------------------
Subject: Apache 1.* and 2.* vulnerability
From: "Jan Henkins"
Date: Thu, August 25, 2011 11:00
--------------------------------------------------------------------------
Hello Andy,
Sorry for not posting this to the Bitfolk list directly, I'm on my
web-mail (didn't put the mailing list address in my address book), so
please consider passing this on.
Yesterday a nasty Apache DoS vuln was released. So far all versions of
Apache is affected by this. Here are some advisories:
RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=732928
Debian:
https://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C201…
While I have not managed to work out a mitigation strategy for
Ubuntu/Debian servers, the following works rather nicely on RHEL5 and
RHEL6 (so could be good to go for CentOS too):
Create /etc/httpd/conf.d/setenvif.conf with the following:
<IfModule mod_setenvif.c>
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog /your/log/dir/range-CVE-2011-3192.log common
env=bad-range
</IfModule>
Restart apache
That should do it nicely! :-)
More reading here:
http://eromang.zataz.com/2011/08/24/cve-2011-3192-apache-httpd-killer-remot…
Please pass on to the Bitfolk community at your discretion.
--
Regards,
Jan Henkins
--
Regards,
Jan Henkins
30 Aug
30 Aug
12:02 a.m.
New subject: [bitfolk] [Fwd: Apache 1.* and 2.* vulnerability]
Hello,
On Thu, Aug 25, 2011 at 04:06:10PM +0000, Andy Smith wrote:
----- Forwarded message from Jan Henkins -----
Yesterday a nasty Apache DoS vuln was released. So far all versions of
Apache is affected by this. Here are some advisories:
An update was pushed to squeeze-security earlier:
apache2 (2.2.16-6+squeeze2) squeeze-security; urgency=high
* Fix CVE-2011-3192: DoS by high memory usage for a large number of
overlapping ranges.
-- Stefan Fritsch <sf(a)debian.org> Mon, 29 Aug 2011 20:23:01 +0200
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
4826
days inactive
4831
days old
1 comments
1 participants
participants (1)
-
Andy Smith