Date: Sun, 23 Jun 2002 02:06:20 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Joshua Lee <yid@softhome.net> Cc: root@utility.clubscholarship.com, freebsd-hackers@freebsd.org Subject: Re: inuring FreeBSD to the apache bug without upgrading apache ? Message-ID: <3D158F8C.8AA61132@mindspring.com> References: <20020620141424.U68572-100000@utility.clubscholarship.com> <3D129688.356A87D0@mindspring.com> <20020623003014.1575c491.yid@softhome.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Joshua Lee wrote: > Terry Lambert <tlambert2@mindspring.com> wrote: > > Patrick Thomas wrote: > > > Is it possible to patch/recompile FreeBSD 4.5 in such a way that your > > > system is no longer vulnerable to the "chunking" attack, even if you are > > > still running a vulnerable apache ? > > > > Not FreeBSD, but it's possible to reconfigure Apache. > > > > The way you would deal with this would be to tell Apache that it > > was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. > > I've found a better solution! On today's freshports there is something > called mod_blowchunks :-) If installed, it will reject chunking and log > it. This is an alternative to upgrading Apache. But if a client uses chunking legitimately, and does so becuase it believes it's talking to an HTTP server, you've just broken that client's ability to POST/PUT. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D158F8C.8AA61132>