[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: svn commit: r1162874 - in /httpd/httpd/branches/2.2.x: CHANGES
From:       "William A. Rowe Jr." <wrowe () rowe-clan ! net>
Date:       2011-08-29 21:32:11
Message-ID: 4E5C055B.2070908 () rowe-clan ! net
[Download RAW message or body]

On 8/29/2011 3:48 PM, Stefan Fritsch wrote:
> On Mon, 29 Aug 2011, William A. Rowe Jr. wrote:
> 
>> On 8/29/2011 10:40 AM, jim@apache.org wrote:
>>> Author: jim
>>> Date: Mon Aug 29 15:40:19 2011
>>> New Revision: 1162874
>>>
>>>  Changes with Apache 2.2.20
>>>
>>> +  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
>>> +     core: Fix handling of byte-range requests to use less memory, to avoid
>>> +     denial of service. If the sum of all ranges in a request is larger than
>>> +     the original file, ignore the ranges and send the complete file.
>>> +     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
>>
>> The later sentence is clearly no protection against the flaw if the server
>> offers huge resources, such as .iso's, larger packages or large pdfs.  Also
>> we have handlers which aren't going to indicate a C-L.  It would seem that
>> the first sentence is comprehensive enough to flag as -3192, and the later
>> is a bug fix, but not really part of a security solution.
> 
> I have included the second part because it is related to the 0-,0-,0-,... issue
> (http://seclists.org/bugtraq/2007/Jan/83). But it really has nothing to do with
> CVE-2011-3192. Feel free to rephrase/remove/split into two entries/...

+1 to split them into two different changes.

[prev in list] [next in list] [prev in thread] [next in thread]