[Systems] Apache vulnerability
Bernie Innocenti
bernie at sugarlabs.org
Wed Aug 24 19:56:51 EDT 2011
On Wed, 2011-08-24 at 23:29 +0200, Sascha Silbe wrote:
> Hi everyone!
>
> There seems to be a vulnerability in Apache with no available fix yet
> that's getting exploited at some sites. [1] explains a workaround, maybe
> someone (!= me, sorry) can add it to the Apache configs on our servers?
Thanks for the heads up.
The gnu.org website was probably attacked today with this exploit. I
implemented one of the workarounds recommended by LWN.
Since sugarlabs.org is a lower profile target, I'd propose to wait for
the distro update. In case we get attacked in the mean time, all we have
to do to implement the workaround is:
$ cat >/etc/apache2/conf.d/cve-2011-3192 <<__EOF__
#bernie: from http://lwn.net/Articles/456268/
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
__EOF__
$ a2enmod headers
$ service apache reload
@ward, @peabo: we should remember to disable the workaround after
installing the update.
--
Bernie Innocenti
Sugar Labs Infrastructure Team
http://wiki.sugarlabs.org/go/Infrastructure_Team
More information about the Systems
mailing list