Forgot your password?
Bug Security The Internet Apache

Fix For Apache DoS Bug In the Pipes 49

Posted by timothy
from the gurgling-through dept.
Trailrunner7 writes with the report that "The Apache Software Foundation plans to have a fix available in the next day or so [Note: that means today, now. --Ed.] for the denial-of-service problem in Apache that was publicized late last week. The bug, which in some forms has been under discussion for more than four years, involves the way that the Web server handles certain overlapping range headers. The vulnerability is a denial-of-service bug, but it is considered serious because a remote attacker can essentially take a targeted server offline with little effort and resources. The Apache Software Foundation, which maintains the popular open-source Web server, updated its advisory on the vulnerability, saying that it expects to have a full fix available for the vulnerability within the next 24 hours."
This discussion has been archived. No new comments can be posted.

Fix For Apache DoS Bug In the Pipes

Comments Filter:
  • Re:I hear... (Score:5, Informative)

    by digitalchinky (650880) <> on Saturday August 27, 2011 @11:41AM (#37227746)

    I am utterly lazy, but a few moments in google and I added the following to my domains:

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
    RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
    RewriteRule .* - [F]

    It certainly makes the exploit fail which is good enough for me until Apache gets a fix going.

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.