From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 25 Aug 2011 22:53:21 +0000 (-0300)
Subject: Mitigation for CVE-2011-3192
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=ff8478731d6a93cd22d06a1c4769bdc095fedaf0;p=puppet-apache.git

Mitigation for CVE-2011-3192
---

diff --git a/templates/apache2.conf.erb b/templates/apache2.conf.erb
index ee28bdc..e387ea8 100644
--- a/templates/apache2.conf.erb
+++ b/templates/apache2.conf.erb
@@ -89,6 +89,13 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
+# Drop the Range header when more than 5 ranges.
+# CVE-2011-3192
+# See http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
+# TODO: remove this when a fix is released
+SetEnvIf Range (,.*?){5,} bad-range=1
+RequestHeader unset Range env=bad-range
+
 ##
 ## Server-Pool Size Regulation (MPM specific)
 ##