Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert <[EMAIL PROTECTED]> wrote: > Patrick Thomas wrote: > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > > system is no longer vulnerable to the "chunking" attack, even if you are > > still running a vulnerable apache ? Why not upgrade Apache...?? Both the 1 and 2 series have been updated I think. (I'm a newbie at server stuff, so bear with me if I made a faux pas.) > The way you would deal with this would be to tell Apache that it > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > The only place this is an issue is if you need to reuse an HTTP > connection, and that only occurs in HTTP 1.1 when you are doing > pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002 10:38:21 +0200 Bernd Walter <[EMAIL PROTECTED]> wrote: > On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote: > > On Thu, 20 Jun 2002 19:59:20 -0700 > > Terry Lambert <[EMAIL PROTECTED]> wrote: > > > The way you would deal with this would be to tell Apache that it > > > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > > > > > The only place this is an issue is if you need to reuse an HTTP > > > connection, and that only occurs in HTTP 1.1 when you are doing > > > pipelining. Everywhere else, you can indicate an end of data > > > > Mozilla has an option to enable http pipelining as a performance option. I >regularly used this, maybe I shouldn't? > > It should fallback. Considering that there's a warning concerning it's use "with some servers" maybe it doesn't... Luckily it's not on by default. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert <[EMAIL PROTECTED]> wrote: > Patrick Thomas wrote: > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > > system is no longer vulnerable to the "chunking" attack, even if you are > > still running a vulnerable apache ? > > Not FreeBSD, but it's possible to reconfigure Apache. > > The way you would deal with this would be to tell Apache that it > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Sun, 23 Jun 2002 02:06:20 -0700 Terry Lambert <[EMAIL PROTECTED]> wrote: > Joshua Lee wrote: > > Terry Lambert <[EMAIL PROTECTED]> wrote: > > > The way you would deal with this would be to tell Apache that it > > > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > > > I've found a better solution! On today's freshports there is something > > called mod_blowchunks :-) If installed, it will reject chunking and log > > it. This is an alternative to upgrading Apache. > > But if a client uses chunking legitimately, and does so becuase > it believes it's talking to an HTTP server, you've just broken > that client's ability to POST/PUT. You mean to say "it believes it is talking to an HTTP 1.1 server", yes? I guess using HTTP 1.0 is a better solution then. Of course, maybe the *best* solution IMVHO would be to upgrade to the Apache version without this bug. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message