Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Dirk-WIllem van Gulik
* Folks - do we also need to add Request-Range ? * Updated with Rudigers comments., Eric, Florians * Consensus that the deflate stuff needs to go out reflected. * More Comments please. Esp. on the quality and realisticness of the mitigtions. * Is this the right

Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Eric Covener
*       Is this the right list (and order) of the mitigations - or should ReWrite be first ? FWIW I don't like rewrite first because it's so unruly with being defined once per vhost + main server + RewriteEngine on. I like RequestHeader simplicity, and could be combined with SetEnvIf to only

Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Eric Covener
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote: *       Is this the right list (and order) of the mitigations - or should ReWrite be first ? FWIW I don't like rewrite first because it's so unruly with being defined once per vhost + main server + RewriteEngine on. I

Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Eric Covener
On Wed, Aug 24, 2011 at 9:29 AM, Eric Covener cove...@gmail.com wrote: On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove...@gmail.com wrote: *       Is this the right list (and order) of the mitigations - or should ReWrite be first ? FWIW I don't like rewrite first because it's so unruly

RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Plüm, Rüdiger, VF-Group
. August 2011 15:08 To: Dirk-Willem van Gulik Cc: dev@httpd.apache.org; secur...@httpd.apache.org Subject: Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3) * Folks - do we also need to add Request-Range ? * Updated with Rudigers comments

RE: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Plüm, Rüdiger, VF-Group
-Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Mittwoch, 24. August 2011 15:29 To: dev@httpd.apache.org Subject: Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3) On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener cove

Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Jim Jagielski
+1 On Aug 24, 2011, at 10:29 AM, Plüm, Rüdiger, VF-Group wrote: -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Mittwoch, 24. August 2011 15:29 To: dev@httpd.apache.org Subject: Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache

Re: CVE-2011-3192: Range header DoS vulnerability in Apache 1.3 and Apache 2 (DRAFT-3)

2011-08-24 Thread Nick Kew
On Wed, 24 Aug 2011 09:30:34 -0400 Eric Covener cove...@gmail.com wrote: Or more like Ruedigers: SetEnvIf Range (,[^,]*){5,} bad-range=1 Or just Untaint HTTP_RANGE (,[^,]*){5,} Is it time to re-suggest dropping mod_taint into trunk? -- Nick Kew