On Mon, Aug 6, 2012 at 4:23 AM, Luciano Bello wrote:
> Sébastien Bocahu reported to the security team:
>> patch that was applied by Debian exposes Apache to segfaults under specific
>> crafted requests.
>>
>> The magick request is the following:
>> curl -H "x-forwarded-for: 1'\"5000" -H "Host: a
> As a workaround, you should avoid using x-forwarded-for header from
> untrusted sources. Usually, it is the case - you can trust your frontend
> servers ;)
>
> That means - real impact of this issue is very minor and mostly due to
> misconfiguration.
Excuse me ?
This is definitely _not_ a mis
Ok, now it makes sense.
As a workaround, you should avoid using x-forwarded-for header from
untrusted sources. Usually, it is the case - you can trust your frontend
servers ;)
That means - real impact of this issue is very minor and mostly due to
misconfiguration.
07.08.2012 14:15 пользователь "
Hi,
I am the bug reporter.
> The "minimal" patch is to drop 030_ipv6.patch. I can't confirm that
> this bug is *not* reproducible for 0.6 version *with* the above patch.
>
> Can you ask bugreporter to report details on:
> -->8--
>rpaf 0.6 is available in Debian wheezy. The IPv6 patched is n
tag 683984 +pending
thanks
06.08.2012 4:27 пользователь "Luciano Bello" написал:
> Sébastien Bocahu reported to the security team:
> > (...)
> > A single request makes Apache segfault. On some of the environments I
> tested,
> > it even kills all Apache processes (they become zombies).
Thank yo
Package: libapache2-mod-rpaf
Severity: critical
Tags: security
Version: 0.5-3
Sébastien Bocahu reported to the security team:
> (...)
> A single request makes Apache segfault. On some of the environments I tested,
> it even kills all Apache processes (they become zombies).
>
> I tested three env
6 matches
Mail list logo
