- SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.
- SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.
A couple of weeks ago the discovery of a vulnerability in Apache left millions of web sites vulnerable to DoS attacks. The problem revolves around how Apache handles byte range headers and was fixed in version 2.2.20. Apache 2.2.20 does fix this issue; however with a number of side effects. Version 2.2.21 corrects a protocol defect in 2.2.20, and also introduces the MaxRanges directive.