Forgot your password?
typodupeerror
Security Apache

"Apache Killer" Web Server Hole Plugged 48

Posted by samzenpus
from the shields-up dept.
CWmike writes "The Apache open-source project has patched its Web server software to quash a bug that a denial-of-service (DoS) tool has been exploiting. Apache 2.2.20, released Tuesday, plugs the hole used by an 'Apache Killer' attack tool. On Aug. 24, project developers had promised a fix within 48 hours, then revised the timetable two days later to 24 hours. The security advisory did not explain the delay."
This discussion has been archived. No new comments can be posted.

"Apache Killer" Web Server Hole Plugged

Comments Filter:
  • by mzs (595629) on Friday September 02, 2011 @12:27AM (#37282688)

    http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C85111090-501E-4C80-AA8F-DD11B94FDF7C@apache.org%3E [apache.org]

    * SECURITY: CVE-2011-3192 (cve.mitre.org)
      core: Fix handling of byte-range requests to use less memory, to avoid
      denial of service. If the sum of all ranges in a request is larger than
      the original file, ignore the ranges and send the complete file.
      PR 51714.

    I remember reading how people had all sorts of ideas like sorting the ranges, ignoring gaps of less than 80 bytes, noticing that it went afoul of the standard. Around the same time nginx also did a release with the approach of sending back the entire file if the sum of the ranges was more. That was so simple, and it's okay according to RFC 2616 a server MAY ignore the range header, so it's clever too! Glad all the memory handling was fixed-up too though.

It is better to give than to lend, and it costs about the same.

Working...