December 10, 2016

New Apache Version with Further Fixes for Handling Byte-range Requests

(LiveHacking.Com) – The Apache Foundation has released version 2.2.21 of the Apache HTTP Server. This version of Apache is mainly a security and bug fix release:

  • SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.
  • SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.

A couple of weeks ago the discovery of a vulnerability in Apache left millions of web sites vulnerable to DoS attacks.  The problem revolves around how Apache handles byte range headers and was fixed in version 2.2.20. Apache 2.2.20 does fix this issue; however with a number of side effects. Version 2.2.21 corrects a protocol defect in 2.2.20, and also introduces the MaxRanges directive.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks