From owner-freebsd-apache@FreeBSD.ORG Thu Sep 1 08:33:09 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B31A01065673 for ; Thu, 1 Sep 2011 08:33:09 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 9CCE68FC12 for ; Thu, 1 Sep 2011 08:33:09 +0000 (UTC) Received: from omta01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by qmta02.emeryville.ca.mail.comcast.net with comcast id TLVh1h0020EPchoA2LZ4n1; Thu, 01 Sep 2011 08:33:04 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta01.emeryville.ca.mail.comcast.net with comcast id TLYr1h0041t3BNj8MLYr7p; Thu, 01 Sep 2011 08:32:51 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id C3AC8102C36; Thu, 1 Sep 2011 01:33:08 -0700 (PDT) Date: Thu, 1 Sep 2011 01:33:08 -0700 From: Jeremy Chadwick To: Oliver Brandmueller Message-ID: <20110901083308.GA21588@icarus.home.lan> References: <20110901073957.GI96792@e-Gitt.NET> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110901073957.GI96792@e-Gitt.NET> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: apache@FreeBSD.org Subject: Re: apache 2.2.20 ? X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2011 08:33:09 -0000 On Thu, Sep 01, 2011 at 09:39:57AM +0200, Oliver Brandmueller wrote: > desperately waiting for apache 2.2.20 security update in the ports, is > there anything at the horizon? Apache 2.2.20 was released in the early evening on 08/30 (mirrors say around 18:xx, Pacific Time I believe), which means it's only been available for about ~30 hours. What bothers me more is: 1) That there's no standalone patch available for CVE-2011-3192 (the Range/Request-Range DoS), e.g. a patch someone could drop into files/patch-XXX and be done with it, 2) The portaudit database (security/vuxml) has not been updated to reflect this situation (I have done "portaudit -Fda" more times than I can count), so I believe there are people who have no idea they're affected (keep reading), 3) There are *lots* of people who run Apache who have no knowledge of this issue. Fellow senior-level SAs I know out east had never even heard of it, so I wouldn't be surprised if subscribers to freebsd-apache hadn't either. I don't understand how/why this issue was disclosed so quietly (in my opinion). Be aware the initial CVE announcement was inadequate and lacked directives that would ignore the old-yet-still-honoured Request-Range header, so some who think they're immune may not fully be. Furthermore, some of the Linux-oriented sites provided badly-written directives that are incorrect/wrong, and those are making their way into the "blogosphere", The icing on the cake comes from "security experts" who posted "vulnerability test" scripts which are completely and entirely broken -- their perl code fails miserably (awful coding errors) and can/will report you as vulnerable when in fact you aren't. These made rounds on security lists all over -- what a nightmare. If there are people here who do not know how to *properly* make themselves immune to the DoS mentioned in CVE-2011-3192, please reply to the list (not me personally) and I will take the time to do a full write-up, as well as provide a test methodology for you to use (requires www/p5-libwww). And I don't bother with Apache 1.3.x, sorry. And finally, for those wondering what the DoS looks like on a FreeBSD box, one of our customers was hit with this twice (on the 29th and 30th) before I was able to deploy the workaround, so I can describe the behaviour of the system and all of the symptoms. Just let me know on-list and I can provide a write-up (I had to do one for the customer). Be aware said box is FreeBSD 7.x, but I'm certain the behaviour would be the exact same on all FreeBSD versions. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |