[Systems] Apache vulnerability

Bernie Innocenti bernie at sugarlabs.org
Wed Aug 24 19:56:51 EDT 2011


On Wed, 2011-08-24 at 23:29 +0200, Sascha Silbe wrote:
> Hi everyone!
> 
> There seems to be a vulnerability in Apache with no available fix yet
> that's getting exploited at some sites. [1] explains a workaround, maybe
> someone (!= me, sorry) can add it to the Apache configs on our servers?

Thanks for the heads up.

The gnu.org website was probably attacked today with this exploit. I
implemented one of the workarounds recommended by LWN.

Since sugarlabs.org is a lower profile target, I'd propose to wait for
the distro update. In case we get attacked in the mean time, all we have
to do to implement the workaround is:

$ cat >/etc/apache2/conf.d/cve-2011-3192  <<__EOF__
#bernie: from http://lwn.net/Articles/456268/

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
__EOF__
$ a2enmod headers
$ service apache reload

@ward, @peabo: we should remember to disable the workaround after
installing the update.

-- 
Bernie Innocenti
Sugar Labs Infrastructure Team
http://wiki.sugarlabs.org/go/Infrastructure_Team




More information about the Systems mailing list