> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:di...@webweaving.org]
> Sent: Mittwoch, 24. August 2011 16:36
> To: dev@httpd.apache.org
> Subject: VOTES please -- CVE-2011-3192: Range header DoS
> vulnerability in Apache 1.3 and Apache 2 (Final-5)
>
> Folks,
>
> Can I have a few +1's on below - or feedback on what we'd
> like to have changed ?
>
> * Would like to get this out in an hour or so ?
>
> * FIne with the 48 hours commitment of an update ?
>
> Dw.
>
>
>
> Title: CVE-2011-3192: Range header DoS vulnerability
> Apache HTTPD 1.3/2.x
> Date: 20110824 1600Z
> Product: Apache HTTPD Web Server
> Versions: Apache 1.3 all versions, Apache 2 all versions
>
> Description:
> ------------
>
> A denial of service vulnerability has been found in the way
> the multiple overlapping ranges are handled by the Apache
> HTTPD server:
>
> http://seclists.org/fulldisclosure/2011/Aug/175
>
> An attack tool is circulating in the wild. Active use of this
> tools has been observed.
>
> The attack can be done remotely and with a modest number of
> requests can cause very significant memory and CPU usage on
> the server.
>
> The default Apache HTTPD installation is vulnerable.
>
> There is currently no patch/new version of Apache HTTPD which
> fixes this vulnerability. This advisory will be updated when
> a long term fix is available.
>
> A full fix is expected in the next 48 hours.
>
> Mitigation:
> ------------
>
> However there are several immediate options to mitigate this
> issue until that time:
>
> 1) Use mod_rewrite to limit the number of ranges:
>
> Option 1L
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
> RewriteRule .* - [F]
>
> Option 2:
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> # optional logging.
> CustomLog logs/range.log "%r %{Range}i %{bad-range}e"
Shouldn't it be a conditional logging?
CustomLog logs/range.log "%r %{Range}i" env=bad-range
Otherwise looks good. +1.
Regards
Rüdiger
