On Mon, Sep 19, 2011 at 6:57 PM, ropers <[email protected]> wrote: > On 19 September 2011 09:51, Mattieu Baptiste <[email protected]> wrote: >> The apache foundation has adjusted the security advisory and Apache 1.3 >> isn't vulnerable. >> >> https://httpd.apache.org/security/CVE-2011-3192.txt > > Yes, fair enough, BUT that same advisory says *in its Apache 1.3 section*: > >> However as explained in the background section in more detail - >> this attack does cause a significant and possibly unexpected load. >> You are advised to review your configuration in that light. > > and the Lee's original problem appears to be the result of an unexpected load.
The code involved is totally different. Look at it. The unexpected load is simply that 1.3 uses forks wheras 2.X has worker mode. The PoC launches 50 connexions at a time, which can generate load on 1.3. That's the reason of the "review your configuration in that light". -- Mattieu Baptiste "/earth is 102% full ... please delete anyone you can."
