Re: Apache warns Web server admins of DoS attack tool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 2011-08-25 at 12:33 -0400, m.roth@xxxxxxxxx wrote:
> Anyone have any idea how soon RHEL and CentOS will be releasing the patch
> package?
> 
> Excerpt:
> Computerworld - Developers of the Apache open-source project today
> warned users of the popular Web server software that a denial-of-service
> (DoS) tool is circulating that exploits a bug in the program.

>
<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm
 ins_of_DoS_attack_tool>

There are some work-around suggestions here:
http://lwn.net/Articles/456268/

Thanks Mark for the warning and also to Colin. I am sure CENTOS users
appreciate it. I certainly do.

The temporary fix is shown on several web sites as this, shown below,
added to Apache's conf file:-


          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range
  
          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

I've done this on the Apache's main conf file and restarted it. httpd
appear to be working normally on reliable Centos 5.6.

Its great having a Centos mailing list where concerned Centos users can
post news about issues affecting other Centos users, even if the posting
user accidentally forgets to mention which version of Centos is
affected.

Have a nice day everyone.

Paul.




_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux