SCIENTIFIC-LINUX-USERS Archives

June 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show HTML Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Apache HTTP Server Overlapping Byte-Range Denial of Service
From:
Gerald Waugh <[log in to unmask]>
Reply To:
Gerald Waugh <[log in to unmask]>
Date:
Fri, 28 Jun 2013 20:58:26 -0500
Content-Type:
multipart/alternative
Parts/Attachments:
text/plain (754 bytes) , text/html (1523 bytes) 
On 06/28/2013 04:33 AM, David Sommerseth wrote:
> On 27/06/13 19:02, Gerald Waugh wrote:
>> Apache HTTP Server Overlapping Byte-Range Denial of Service
>>
>> Apache HTTP Server version 2.2.20 has been released to address this
>> issue, though many vendors (Redhat,
>> Debian, etc) have also backported fixes to address the problem.
>>
>> Does anyone know if this is fixed in 2.2.15 ?
> I haven't checked myself, but I presume this command line could give
> some qualified clues:
>
>    $ rpm -q --changelog httpd
Thanks David,

Turns out that the vulnerbility is covered in CVE-2011-3192

[root@www web]# rpm -q --changelog httpd | grep CVE-2011-3192

* Thu Sep 08 2011 Joe Orton <[log in to unmask]> - 2.2.15-13
- add security fix for CVE-2011-3192 (#733063, #736592)

-- 
Gerald

ATOM RSS1 RSS2