From owner-freebsd-hackers Sun Jun 23 1: 1:54 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mobile.webweaving.org (fia224-72.dsl.hccnet.nl [62.251.72.224]) by hub.freebsd.org (Postfix) with ESMTP id 9C83537B40A for ; Sun, 23 Jun 2002 01:01:31 -0700 (PDT) Received: from localhost.leiden.webweaving.org (localhost.leiden.webweaving.org [127.0.0.1] (may be forged)) by mobile.webweaving.org (8.12.2/8.10.2) with ESMTP id g5N81It3002478; Sun, 23 Jun 2002 10:01:18 +0200 (CEST) X-Curiosity: Killed the Cat X-Huis-aan-Huis-deur-sticker: nee-nee X-Spam: no X-Passed: MX on Gandalf.WebWeaving.org Sun, 23 Jun 2002 10:01:18 +0200 (CEST) and masked X-No-Spam: Neither the receipients nor the senders email address(s) are to be used for Unsolicited (Commercial) Email without the explicit written consent of either party; as a per-message fee is incurred for inbound and outbound traffic to the originator. Date: Sun, 23 Jun 2002 10:01:18 +0200 (CEST) From: dirkx@covalent.net X-X-Sender: dirkx@mobile.webweaving.org To: yid@softhome.net Cc: tlambert2@mindspring.com, root@utility.clubscholarship.com, freebsd-hackers@FreeBSD.org Subject: Re: inuring FreeBSD to the apache bug without upgrading apache ? In-Reply-To: <20020623003014.1575c491.yid@softhome.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 23 Jun 2002, Joshua Lee wrote: > On Thu, 20 Jun 2002 19:59:20 -0700 > Terry Lambert wrote: > > > Patrick Thomas wrote: > > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > > > system is no longer vulnerable to the "chunking" attack, even if you are > > > still running a vulnerable apache ? > > > > Not FreeBSD, but it's possible to reconfigure Apache. > > > > The way you would deal with this would be to tell Apache that it > > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > I've found a better solution! On today's freshports there is something > called mod_blowchunks :-) If installed, it will reject chunking and log > it. This is an alternative to upgrading Apache. Given the place the problem occurs: I'd be weary of such solutions. Apaceh's myrad of config abilities are second only to sendmail - and it is easy to let a certain case slip through. If nessesary simply do a 'cvs diff' on apache it's cvs (dev.apache.org for anon access; I am willing to work with BSD developers to help if needed) to see the relatively few lines of code which are an issue - and which can be backported easily. Dw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message