Forgot your password?
typodupeerror
Security Apache

Apache Fixes Range Header Flaw, Again 21

Posted by samzenpus
from the got-it-this-time dept.
Trailrunner7 writes "Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw. Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability."
This discussion has been archived. No new comments can be posted.

Apache Fixes Range Header Flaw, Again

Comments Filter:
  • Quick fixes (Score:3, Insightful)

    by Rhodri Mawr (862554) on Wednesday September 14, 2011 @05:27PM (#37403684)
    I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
    Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.
    • Re: (Score:1, Flamebait)

      by Dunbal (464142) *
      Or Apple's "security flaws? We don't have any security flaws and shutthefuckup or we will sue you to oblivion" policy.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.

      I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.

      • The percentage of programmers capable of fixing the problems like this themselves is minuscule. Same thing applies to any major open source applications such as browsers. Identifying the flaw, fixing the flaw, and performing regression testing to make sure you have not introduced new problems requires an expert skill set that is quite different than the skill set needed to develop web and console user applications.The easy fixes have been done but the remaining bugs are causing the people who work on these
        • by lee1 (219161)
          This is my first time, so I hope I do this right. Here goes:

          WHOOOOOOOSH!
          • Ah! You must be Mr. Super Programmer! The "ability to fix it yourself" has always been one of the least important reasons to support the open source licensing model. The most important benefits have been reducing your problems if your closed source vendor goes out of business leaving you with an unsupported and stagnant application. Open source has also provided a large code base that developers are free to access and use in their own projects. There are a lot more developers who take advantage of this reso
    • by BlortHorc (305555)

      I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.

      I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.

    • So what you're saying is "Le mieux est l'ennemi du bien"?

  • Nice.

    I hope the one for 2.0.64 comes out soon... but at the same time I'm glad the 2.2 guys are the guinea pigs seeing regressions and not us :).

    • by thogard (43403)

      More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.

      • by soundguy (415780)
        I still run 2.0 on a handful of servers that use mod_auth_mysql because it apparently doesn't work on 2.2

Philogyny recapitulates erogeny; erogeny recapitulates philogyny.

Working...