Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jun 2002 02:29:30 -0400
From:      Joshua Lee <yid@softhome.net>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        root@utility.clubscholarship.com, freebsd-hackers@freebsd.org
Subject:   Re: inuring FreeBSD to the apache bug without upgrading apache ?
Message-ID:  <20020621022930.088904b7.yid@softhome.net>
In-Reply-To: <3D129688.356A87D0@mindspring.com>
References:  <20020620141424.U68572-100000@utility.clubscholarship.com> <3D129688.356A87D0@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Jun 2002 19:59:20 -0700
Terry Lambert <tlambert2@mindspring.com> wrote:

> Patrick Thomas wrote:
> > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your
> > system is no longer vulnerable to the "chunking" attack, even if you are
> > still running a vulnerable apache ?

Why not upgrade Apache...?? Both the 1 and 2 series have been updated I think. (I'm a newbie at server stuff, so bear with me if I made a faux pas.)

> The way you would deal with this would be to tell Apache that it
> was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature.
> 
> The only place this is an issue is if you need to reuse an HTTP
> connection, and that only occurs in HTTP 1.1 when you are doing
> pipelining.  Everywhere else, you can indicate an end of data

Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020621022930.088904b7.yid>