Mitigation for CVE-2011-3192

author Silvio Rhatto <rhatto@riseup.net>

Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)
diff --git a/templates/apache2.conf.erb b/templates/apache2.conf.erb

index ee28bdc47ce3c9288daad2593b2f2ba5061b67f4..e387ea8738beef50767cc95b27268097c409dc19 100644 (file)
--- a/templates/apache2.conf.erb
+++ b/templates/apache2.conf.erb
@@ -89,6 +89,13 @@ MaxKeepAliveRequests 100
  #
  KeepAliveTimeout 15
  
+# Drop the Range header when more than 5 ranges.
+# CVE-2011-3192
+# See http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
+# TODO: remove this when a fix is released
+SetEnvIf Range (,.*?){5,} bad-range=1
+RequestHeader unset Range env=bad-range
+
  ##
  ## Server-Pool Size Regulation (MPM specific)
  ##
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 25 Aug 2011 22:53:21 +0000 (19:53 -0300)