From owner-freebsd-hackers  Sun Jun 23  1: 1:54 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mobile.webweaving.org (fia224-72.dsl.hccnet.nl [62.251.72.224])
	by hub.freebsd.org (Postfix) with ESMTP id 9C83537B40A
	for <freebsd-hackers@FreeBSD.org>; Sun, 23 Jun 2002 01:01:31 -0700 (PDT)
Received: from localhost.leiden.webweaving.org (localhost.leiden.webweaving.org [127.0.0.1] (may be forged))
	by mobile.webweaving.org (8.12.2/8.10.2) with ESMTP id g5N81It3002478;
	Sun, 23 Jun 2002 10:01:18 +0200 (CEST)
X-Curiosity: Killed the Cat
X-Huis-aan-Huis-deur-sticker: nee-nee
X-Spam: no
X-Passed: MX on Gandalf.WebWeaving.org Sun, 23 Jun 2002 10:01:18 +0200 (CEST) and masked
X-No-Spam: Neither the receipients nor the senders email address(s)
	are to be used for Unsolicited (Commercial) Email without the
	explicit written consent of either party; as a per-message fee
	is incurred for inbound and outbound traffic to the originator.
Date: Sun, 23 Jun 2002 10:01:18 +0200 (CEST)
From: dirkx@covalent.net
X-X-Sender: dirkx@mobile.webweaving.org
To: yid@softhome.net
Cc: tlambert2@mindspring.com, root@utility.clubscholarship.com,
	freebsd-hackers@FreeBSD.org
Subject: Re: inuring FreeBSD to the apache bug without upgrading apache ?
In-Reply-To: <20020623003014.1575c491.yid@softhome.net>
Message-ID: <Pine.OSX.4.44.0206230957070.388-100000@mobile.webweaving.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Sun, 23 Jun 2002, Joshua Lee wrote:

> On Thu, 20 Jun 2002 19:59:20 -0700
> Terry Lambert <tlambert2@mindspring.com> wrote:
>
> > Patrick Thomas wrote:
> > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
> > > system is no longer vulnerable to the "chunking" attack, even if you are
> > > still running a vulnerable apache ?
> >
> > Not FreeBSD, but it's possible to reconfigure Apache.
> >
> > The way you would deal with this would be to tell Apache that it
> > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.
>
> I've found a better solution! On today's freshports there is something
> called mod_blowchunks :-) If installed, it will reject chunking and log
> it. This is an alternative to upgrading Apache.

Given the place the problem occurs: I'd be weary of such solutions.
Apaceh's myrad of config abilities are second only to sendmail - and it is
easy to let a certain case slip through.

If nessesary simply do a 'cvs diff' on apache it's cvs (dev.apache.org for
anon access; I am willing to work with BSD developers to help if needed)
to see the relatively few lines of code which are an issue - and which can
be backported easily.

Dw




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message