Date: Thu, 1 Sep 2011 01:33:08 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Oliver Brandmueller <ob@e-Gitt.NET> Cc: apache@FreeBSD.org Subject: Re: apache 2.2.20 ? Message-ID: <20110901083308.GA21588@icarus.home.lan> In-Reply-To: <20110901073957.GI96792@e-Gitt.NET> References: <20110901073957.GI96792@e-Gitt.NET>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 01, 2011 at 09:39:57AM +0200, Oliver Brandmueller wrote: > desperately waiting for apache 2.2.20 security update in the ports, is > there anything at the horizon? Apache 2.2.20 was released in the early evening on 08/30 (mirrors say around 18:xx, Pacific Time I believe), which means it's only been available for about ~30 hours. What bothers me more is: 1) That there's no standalone patch available for CVE-2011-3192 (the Range/Request-Range DoS), e.g. a patch someone could drop into files/patch-XXX and be done with it, 2) The portaudit database (security/vuxml) has not been updated to reflect this situation (I have done "portaudit -Fda" more times than I can count), so I believe there are people who have no idea they're affected (keep reading), 3) There are *lots* of people who run Apache who have no knowledge of this issue. Fellow senior-level SAs I know out east had never even heard of it, so I wouldn't be surprised if subscribers to freebsd-apache hadn't either. I don't understand how/why this issue was disclosed so quietly (in my opinion). Be aware the initial CVE announcement was inadequate and lacked directives that would ignore the old-yet-still-honoured Request-Range header, so some who think they're immune may not fully be. Furthermore, some of the Linux-oriented sites provided badly-written directives that are incorrect/wrong, and those are making their way into the "blogosphere", The icing on the cake comes from "security experts" who posted "vulnerability test" scripts which are completely and entirely broken -- their perl code fails miserably (awful coding errors) and can/will report you as vulnerable when in fact you aren't. These made rounds on security lists all over -- what a nightmare. If there are people here who do not know how to *properly* make themselves immune to the DoS mentioned in CVE-2011-3192, please reply to the list (not me personally) and I will take the time to do a full write-up, as well as provide a test methodology for you to use (requires www/p5-libwww). And I don't bother with Apache 1.3.x, sorry. And finally, for those wondering what the DoS looks like on a FreeBSD box, one of our customers was hit with this twice (on the 29th and 30th) before I was able to deploy the workaround, so I can describe the behaviour of the system and all of the symptoms. Just let me know on-list and I can provide a write-up (I had to do one for the customer). Be aware said box is FreeBSD 7.x, but I'm certain the behaviour would be the exact same on all FreeBSD versions. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110901083308.GA21588>