wikidiffs at apache
Apr 6, 2012, 3:14 AM
Post #1 of 2
(142 views)
Permalink
|
|
[Httpd Wiki] Update of "CVE-2011-3192" by RobertPattinson
|
|
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "CVE-2011-3192" page has been changed by RobertPattinson:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=13&rev2=14
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
- The default Apache httpd installations version 2.0 prior to 2.0.65 and
+ The default Apache httpd installations version 2.0 prior to 2.0.65 and
version 2.2 prior to 2.2.20 are vulnerable.
Apache 2.2.20 does fix this issue; however with a number of side effects
@@ -111, +111 @@
in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
legacy 2.0.65 release, once this is published (anticipated in September).
- If you cannot upgrade, or cannot wait to upgrade - you can apply the
+ If you cannot upgrade, or cannot wait to upgrade - you can apply the
appropriate source code patch and recompile a recent existing version;
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14)
@@ -210, +210 @@
A stop-gap module which is runtime-configurable can be found at:
http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
-
+
- A simpler stop-gap module which requires compile-time configuration
+ A simpler stop-gap module which requires compile-time configuration
is also available:
http://people.apache.org/~dirkx/mod_rangecnt.c
@@ -258, +258 @@
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
- that module.
+ that module.[
-
- Planning:
- =========
-
- No further advisory email announcements are planned. However we will track
- minor refinements of this advisory at;
-
- http://httpd.apache.org/security/CVE-2011-3192.txt
-
- Further recommendations and discussion on workarounds, or user-agent
- specific complications of these fixes will be tracked at;
-
- http://wiki.apache.org/httpd/CVE-2011-3192
}}}
+ == . ==
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd
|
