apache2: Fixed several security issues
This update fixes several security issues in the Apache
webserver.
The patch for the ByteRange remote denial of service attack
(CVE-2011-3192) was refined and the configuration options
used by upstream were added. Introduce new config option:
Allow MaxRanges Number of ranges requested, if exceeded,
the complete content is served. default: 200 0|unlimited:
unlimited none: Range headers are ignored. This option is a
backport from 2.2.21.
Also fixed: CVE-2011-3348: Denial of service in proxy_ajp
when using a undefined method.
CVE-2011-3368: Exposure of internal servers via reverse
proxy methods with mod_proxy enabled and incorrect Rewrite
or Proxy Rules.
- Submitted by Adrian Schröter (adrianSuSE)
- Version 5347
Fixed bugs
bnc#713966
VUL-0: CVE-2011-3192: apache2: remote denial of service
bnc#719236
VUL-1: apache2: mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp
bnc#722545
VUL-1: CVE-2011-3368: apache2: mod_proxy reverse proxy exposure
CVE#CVE-2011-3192
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploi