You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2012/04/06 12:14:17 UTC

[Httpd Wiki] Update of "CVE-2011-3192" by RobertPattinson

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CVE-2011-3192" page has been changed by RobertPattinson:
http://wiki.apache.org/httpd/CVE-2011-3192?action=diff&rev1=13&rev2=14

  The attack can be done remotely and with a modest number of requests can
  cause very significant memory and CPU usage on the server.
  
- The default Apache httpd installations version 2.0 prior to 2.0.65 and 
+ The default Apache httpd installations version 2.0 prior to 2.0.65 and
  version 2.2 prior to 2.2.20 are vulnerable.
  
  Apache 2.2.20 does fix this issue; however with a number of side effects
@@ -111, +111 @@

  in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
  legacy 2.0.65 release, once this is published (anticipated in September).
  
- If you cannot upgrade, or cannot wait to upgrade - you can apply the 
+ If you cannot upgrade, or cannot wait to upgrade - you can apply the
  appropriate source code patch and recompile a recent existing version;
  
    http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14)
@@ -210, +210 @@

     A stop-gap module which is runtime-configurable can be found at:
  
       http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
-  
+ 
-    A simpler stop-gap module which requires compile-time configuration 
+    A simpler stop-gap module which requires compile-time configuration
     is also available:
  
       http://people.apache.org/~dirkx/mod_rangecnt.c
@@ -258, +258 @@

  of the versions in the wild currently check for the presence of mod_deflate;
  and will (mis)report that your server is not vulnerable if this module is not
  present. This vulnerability is not dependent on presence or absence of
- that module.
+ that module.[
- 
- Planning:
- =========
- 
- No further advisory email announcements are planned. However we will track
- minor refinements of this advisory at;
- 
-   http://httpd.apache.org/security/CVE-2011-3192.txt
- 
- Further recommendations and discussion on workarounds, or user-agent
- specific complications of these fixes will be tracked at;
- 
-   http://wiki.apache.org/httpd/CVE-2011-3192
  }}}
+ == . ==
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org