Carlos Alberto Lopez Perez wrote:
> The new advisory [1] recommends this:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (?:,.*?){5,5} bad-range=1
> RequestHeader unset Range env=bad-range
>
> # We always drop R
On 26/08/11 13:22, linbloke wrote:
> Hello,
>
> I'm curious as to why you suggest option 2 over option 1 from the Apache
> advisory? My guess is that it is compatible with version 1.3 and 2.x and
> that is has stronger enforcement of the syntax (by requiring ^bytes=)
> rather than just 5 comma sep
On 26 aug. 2011, at 13:22, linbloke wrote:
> I'm curious as to why you suggest option 2 over option 1 from the Apache
> advisory? My guess is that it is compatible with version 1.3 and 2.x and that
> is has stronger enforcement of the syntax (by requiring ^bytes=) rather than
> just 5 comma se
On 26/08/11 8:52 PM, Carlos Alberto Lopez Perez wrote:
On 26/08/11 11:17, Christian Hammers wrote:
Hallo
Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch
On 26/08/11 11:17, Christian Hammers wrote:
> Hallo
>
> Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
> is similar vulnerable but not covered by the config snippets that were
> proposed yesterday. So Gentlemen, patch again! :-(
>
Confirmed!.
Just modified the sugg
Hallo
Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch again! :-(
tschüss,
-christian-
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.or
On 24/08/11 08:53 +0200, Dirk Hartmann wrote:
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
http://www.gossamer-threads.com/lists/apache/dev/401
On 24/08/11 14:12, Andrew McGlashan wrote:
>
> Would that work for all websites of a Debian server if placed into a
> file located in /etc/apache2/conf.d ?
>
> Will other rewrites will be fine in the normal conf files for each website?
>
> Thanks
It should not mess with another redirects that y
On 24/08/11 12:13, Carlos Alberto Lopez Perez wrote:
> You can use the following redirect as a temporally workaround:
>
> # a2enmod rewrite
>
> RewriteEngine On
> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
> RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
>
Sorry, the above redirect is wrong. It
Hi,
Carlos Alberto Lopez Perez wrote:
You can use the following redirect as a temporally workaround:
# a2enmod rewrite
RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]
Would that work for all websites of a Debian server if placed into
On 24/08/11 12:45, Andrea Zwirner wrote:
> 2011/8/24 Carlos Alberto Lopez Perez
>
>> On 24/08/11 08:53, Dirk Hartmann wrote:
>>> Hi,
>>>
>>> it is possible to dos a actual squeeze-apache2 with easy to forge
>>> rage-requests:
>>>
>>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-Augu
2011/8/24 Carlos Alberto Lopez Perez
> On 24/08/11 08:53, Dirk Hartmann wrote:
> > Hi,
> >
> > it is possible to dos a actual squeeze-apache2 with easy to forge
> > rage-requests:
> >
> >
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
> >
> > Apache-devs are working
On 24/08/11 08:53, Dirk Hartmann wrote:
> Hi,
>
> it is possible to dos a actual squeeze-apache2 with easy to forge
> rage-requests:
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>
> Apache-devs are working on a solution:
>
> http://www.gossamer-threads.com/list
Hi,
it is possible to dos a actual squeeze-apache2 with easy to forge
rage-requests:
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
Apache-devs are working on a solution:
http://www.gossamer-threads.com/lists/apache/dev/401638
But because the situation seems serious
14 matches
Mail list logo
