[Systems] Apache vulnerability
Stefan Unterhauser
stefan at unterhauser.name
Wed Aug 24 21:06:13 EDT 2011
On Wed, Aug 24, 2011 at 7:56 PM, Bernie Innocenti <bernie at sugarlabs.org> wrote:
> On Wed, 2011-08-24 at 23:29 +0200, Sascha Silbe wrote:
>> Hi everyone!
>>
>> There seems to be a vulnerability in Apache with no available fix yet
>> that's getting exploited at some sites. [1] explains a workaround, maybe
>> someone (!= me, sorry) can add it to the Apache configs on our servers?
>
> Thanks for the heads up.
>
> The gnu.org website was probably attacked today with this exploit. I
> implemented one of the workarounds recommended by LWN.
>
> Since sugarlabs.org is a lower profile target, I'd propose to wait for
> the distro update.
+1
> In case we get attacked in the mean time, all we have
> to do to implement the workaround is:
>
> $ cat >/etc/apache2/conf.d/cve-2011-3192 <<__EOF__
> #bernie: from http://lwn.net/Articles/456268/
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
>
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
> __EOF__
> $ a2enmod headers
> $ service apache reload
>
> @ward, @peabo: we should remember to disable the workaround after
> installing the update.
>
> --
> Bernie Innocenti
> Sugar Labs Infrastructure Team
> http://wiki.sugarlabs.org/go/Infrastructure_Team
>
>
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems
>
More information about the Systems
mailing list