apache2: Fixed several security issues
This update fixes several security issues in the Apache
webserver.
The patch for the ByteRange remote denial of service attack
(CVE-2011-3192) was refined and the configuration options
used by upstream were added. Introduce new config option:
Allow MaxRanges Number of ranges requested, if exceeded,
the complete content is served. default: 200 0|unlimited:
unlimited none: Range headers are ignored. This option is a
backport from 2.2.21.
Also fixed: CVE-2011-3348: Denial of service in proxy_ajp
when using a undefined method.
CVE-2011-3368: Exposure of internal servers via reverse
proxy methods with mod_proxy enabled and incorrect Rewrite
or Proxy Rules.
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 5347
Fixed bugs
bnc#713966
VUL-0: CVE-2011-3192: apache2: remote denial of service
bnc#719236
VUL-1: apache2: mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp
bnc#722545
VUL-1: CVE-2011-3368: apache2: mod_proxy reverse proxy exposure
