Lucene search

HistoryNov 04, 2011 - 9:08 a.m.

Security update for Apache 2 (important)


0.963 High




This update fixes a remote denial of service bug (memory
exhaustion) in the Apache 2 HTTP server, that could be
triggered by remote attackers using multiple overlapping
Request Ranges . (CVE-2011-3192)

The fix introduces a new config option: Allow MaxRanges
Number of ranges requested, if exceeded, the complete
content is served. default: 200 0|unlimited: unlimited
none: Range headers are ignored. (This option is a backport
from 2.2.21.)

It fixes also the minor security issue in the mod_cache
modules in the Apache HTTP Server that allowed remote
attackers to cause a denial of service (process crash) via
a request that lacks a path. (CVE-2010-1452)

It also fixes some non-security bugs: - take
LimitRequestFieldsize config option into account when
parsing headers from backend. Thereby avoid that the
receiving buffers are too small. bnc#690734. - add / when
on a directory to feed correctly linked listings.
bnc#661597 - a2enmod shalt not disable a module in query
mode. bnc#663359 - New option SSLRenegBufferSize fixes
"413 Request Entity Too Large occur" problem. - fixes
graceful restart hangs, bnc#555098.

Security Issues: