apache 2.2.20 ?

Jeremy Chadwick freebsd at jdc.parodius.com
Thu Sep 1 08:33:09 UTC 2011

On Thu, Sep 01, 2011 at 09:39:57AM +0200, Oliver Brandmueller wrote:
> desperately waiting for apache 2.2.20 security update in the ports, is 
> there anything at the horizon?

Apache 2.2.20 was released in the early evening on 08/30 (mirrors say
around 18:xx, Pacific Time I believe), which means it's only been
available for about ~30 hours.

What bothers me more is:

1) That there's no standalone patch available for CVE-2011-3192 (the
Range/Request-Range DoS), e.g. a patch someone could drop into
files/patch-XXX and be done with it,

2) The portaudit database (security/vuxml) has not been updated to
reflect this situation (I have done "portaudit -Fda" more times than I
can count), so I believe there are people who have no idea they're
affected (keep reading),

3) There are *lots* of people who run Apache who have no knowledge of
this issue.  Fellow senior-level SAs I know out east had never even
heard of it, so I wouldn't be surprised if subscribers to freebsd-apache
hadn't either.  I don't understand how/why this issue was disclosed so
quietly (in my opinion).

Be aware the initial CVE announcement was inadequate and lacked
directives that would ignore the old-yet-still-honoured Request-Range
header, so some who think they're immune may not fully be.

Furthermore, some of the Linux-oriented sites provided badly-written
directives that are incorrect/wrong, and those are making their way into
the "blogosphere",

The icing on the cake comes from "security experts" who posted
"vulnerability test" scripts which are completely and entirely broken --
their perl code fails miserably (awful coding errors) and can/will
report you as vulnerable when in fact you aren't.  These made rounds on
security lists all over -- what a nightmare.

If there are people here who do not know how to *properly* make
themselves immune to the DoS mentioned in CVE-2011-3192, please reply to
the list (not me personally) and I will take the time to do a full
write-up, as well as provide a test methodology for you to use (requires
www/p5-libwww).  And I don't bother with Apache 1.3.x, sorry.

And finally, for those wondering what the DoS looks like on a FreeBSD
box, one of our customers was hit with this twice (on the 29th and 30th)
before I was able to deploy the workaround, so I can describe the
behaviour of the system and all of the symptoms.  Just let me know
on-list and I can provide a write-up (I had to do one for the customer).
Be aware said box is FreeBSD 7.x, but I'm certain the behaviour would be
the exact same on all FreeBSD versions.

| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, US |
| Making life hard for others since 1977.               PGP 4BD6C0CB |

More information about the freebsd-apache mailing list