-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          Apache HTTPD Security ADVISORY
          ==============================

Title:    Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:      CVE-2011-3192: 
Date:     20110824 1600Z
Product:  Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions

Description:
============

A denial of service vulnerability has been found in the way the multiple 
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175 

An attack tool is circulating in the wild. Active use of this tools has 
been observed.

The attack can be done remotely and with a modest number of requests can 
cause very significant memory and CPU usage on the server. 

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this 
vulnerability. This advisory will be updated when a long term fix 
is available. 

A full fix is expected in the next 48 hours. 

Mitigation:
============

However there are several immediate options to mitigate this issue until 
a full fix is available:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
   either ignore the Range: header or reject the request.

   Option 1: (Apache 2.0 and 2.2)

          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range

          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

   Option 2: (Also for Apache 1.3)

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
          RewriteRule .* - [F]

   The number 5 is arbitrary. Several 10's should not be an issue and may be
   required for sites which for example serve PDFs to very high end eReaders
   or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while 
   this keeps the offending Range header short - it may break other headers; 
   such as sizeable cookies or security fields. 

          LimitRequestFieldSize 200

   Note that as the attack evolves in the field you are likely to have
   to further limit this and/or impose other LimitRequestFields limits.

   See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

          RequestHeader unset Range 

   Note that this may break certain clients - such as those used for
   e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

     http://people.apache.org/~dirkx/mod_rangecnt.c

   Precompiled binaries for some platforms are available at:

	http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion - such as:

   http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e

Actions:
========

Apache HTTPD users who are concerned about a DoS attack against their server 
should consider implementing any of the above mitigations immediately. 

When using a third party attack tool to verify vulnerability - know that most 
of the versions in the wild currently check for the presence of mod_deflate; 
and will (mis)report that your server is not vulnerable if this module is not 
present. This vulnerability is not dependent on presence or absence of 
that module.

Planning:
=========

This advisory will be updated when new information, a patch or a new release 
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected 
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iEYEARECAAYFAk5VI+MACgkQ/W+IxiHQpxsz4wCgipR6nQmd45hAgFmI/8dHULLF
BtoAmQGsi2efZKibpaSMI+aCt8fQgWgS
=11BG
-----END PGP SIGNATURE-----

                       Apache HTTP Server 2.2.19 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.19 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, correcting regressions in the httpd 2.2.18 package; the use
   of that previous 2.2.18 package is discouraged due to these flaws:

     * SECURITY: CVE-2011-1928 (cve.mitre.org)
       A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
       introduced a new vulnerability.  httpd workers enter a hung state
       (100% cpu utilization) after updating to APR 1.4.4.  Upgrading to
       APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
       or prior with the 'IgnoreClient' option of the 'IndexOptions'
       directive will circumvent both issues.

     * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
       inadvertantly changed. This breaks binary compatibility of a number
       of third-party modules.  This httpd-2.2.19 package restores the
       function signature provided by 2.2.17 and prior.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.19 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.19 provides the
   complete list of changes since 2.2.18.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.5
   and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
   and zip distributions.  The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

New releases are in progress for each of these projects and are
expected to be available in the coming days.  The upcoming httpd
2.2.19 will bundle new releases of apr and apr-util which correct
the regressions described below.  An announcement of these releases
will be broadcast.

Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11.

Summary of regressions:

httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed.
This breaks binary compatibility of a number of third-party modules. In
addition, a regression in apr 1.4.4 (see below) could cause httpd to hang.

apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419
introduced a new vulnerability.  A patch is attached and should be used
if httpd workers enter a hung state (100% cpu utilization) after updating
to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr
applications which use apr_fnmatch().

apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause
crashes with httpd's mod_authnz_ldap in some situations.

                       Apache HTTP Server 2.2.18 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.18 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, and a security fix release of the APR 1.4.4 dependency;

     * SECURITY: CVE-2011-0419 (cve.mitre.org)
       apr_fnmatch flaw leads to mod_autoindex remote DoS
       Where mod_autoindex is enabled, and a directory indexed by
       mod_autoindex contained files with sufficiently long names,
       a carefully crafted request may cause excessive CPU usage
       Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
       of the 'IndexOptions' directive circumvents this risk.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.18 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.18 provides the
   complete list of changes since 2.2.17.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.4
   and APR Utility Library (APR-util) version 1.3.11, bundled with the tar
   and zip distributions.  The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

                Apache HTTP Server 2.3.11-beta Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.3.11-beta of the Apache HTTP
   Server ("Apache").  This version of Apache is our initial Beta release
   of Apache httpd 2.4 to test new technology and features that are incompatible
   or too large for the stable 2.2.x branch. This Beta release should not be
   presumed to be compatible with binaries built against any prior or future
   version, although, as a Beta, the API is in a semi-frozen state.

   Apache HTTP Server 2.3.11-beta is available for download from:

     http://httpd.apache.org/download.cgi

   Apache 2.3 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.3 please see:

     http://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.3 file, linked from the download page, for a
   full list of changes.

   This release includes the Apache Portable Runtime (APR) version 1.4.2
   and APR-Util version 1.3.10 in a separate -deps tarball.  The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.3, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

The expected-to-be-final alpha release of Apache HTTP Server
(aka, Apache httpd) 2.3.10-alpha is now available for download,
test and use.

Based on user and developer feedback, the next release of the
next-gen version of Apache httpd will likely be our first beta.
The hope and expectation is to push for a quick beta cycle and
a 2.4.0 GA release around the beginning of 2011.

Apache httpd 2.3.10-alpha can be found at:

	http://httpd.apache.org/

        libapreq2-2.13 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.13 release of libapreq2.  This
Announcement notes significant changes introduced by this release.

libapreq2-2.13 is released under the Apache License
version 2.0.  It is now available through the ASF mirrors

      http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as 

  file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz
  size: 891320 bytes
   md5: c11fb0861aa84dcc6cd0f0798b045eee


libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data.  This package provides

    1) version 2.8.0 of the libapreq2 library,

    2) mod_apreq2, a filter module necessary for using libapreq2
       within the Apache HTTP Server,

    3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
       perl modules for using libapreq2 with mod_perl2.

========================================================================

Changes with libapreq2-2.13 (released December 3, 2010)

- HTTP Only Cookie [Robert Stone & Adam Prime]
  The C and Perl Cookie APIs now support an HttpOnly flag to tell 
  user agents to deny client-side script access to the cookie

  The Apache Software Foundation and the Apache HTTP Server Project are
  pleased to announce the release of version 2.3.6 of mod_fcgid, a
  FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
  future 2.4.  This version of mod_fcgid is a bug fix release.

  A fix is included for CVE-2010-3872, a potential vulnerability which
  can affect sites with untrusted FastCGI applications.

  Additionally, default configuration settings for request body handling
  have been changed to prevent large system resource use.  Administrators
  of all versions of mod_fcgid are strongly cautioned to ensure that
  FcgidMaxRequestLen is configured appropriately.

  mod_fcgid is available for download from:

    http://httpd.apache.org/download.cgi

  A full list of changes in this release follows:

  *) SECURITY: CVE-2010-3872 (cve.mitre.org)
     Fix possible stack buffer overwrite.  Diagnosed by the reporter.
     PR 49406.  [Edgar Frank <ef-lists email.de>]

  *) Change the default for FcgidMaxRequestLen from 1GB to 128K.
     Administrators should change this to an appropriate value based on
     site requirements.  [Jeff Trawick]

  *) Allow FastCGI apps more time to exit at shutdown before being
     forcefully killed.  [Jeff Trawick]

  *) Correct a problem that resulted in FcgidMaxProcesses being ignored
     in some situations.  PR 48981.  [<rkosolapov gmail.com>]

  *) Fix the search for processes with the proper vhost config when
     ServerName isn't set in every vhost or a module updates
     r->server->server_hostname dynamically (e.g., mod_vhost_cdb)
     or a module updates r->server dynamically (e.g., mod_vhost_ldap).
     [Jeff Trawick]

  *) FcgidPassHeader now maps header names to environment variable names
     in the usual manner: The header name is converted to upper case and
     is prefixed with HTTP_.  An additional environment variable is
     created with the legacy name.  PR 48964.  [Jeff Trawick]

  *) Allow processes to be reused within multiple phases of a request
     by releasing them into the free list as soon as possible.
     [Chris Darroch]

  *) Fix lookup of process command lines when using FcgidWrapper or
     access control directives, including within .htaccess files.
     [Chris Darroch]

  *) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms;
     ownership of mutex files was incorrect, resulting in a startup failure.
     PR 48651.  [Jeff Trawick, <pservit gmail.com>]

  *) Return 500 instead of segfaulting when the application returns no output.
     [Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]

  *) In FCGI_AUTHORIZER role, avoid spawning a new process for every
     different HTTP request.  [Chris Darroch]

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.17 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, and a security fix release of the APR-util 1.3.10 dependency;

     * SECURITY: CVE-2010-1623 (cve.mitre.org)
       Fix a denial of service attack against apr_brigade_split_line().

     * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
       Fix two buffer over-read flaws in the bundled copy of expat which
       could cause httpd to crash while parsing specially-crafted
       XML documents.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.17 is available for download from:

     http://httpd.apache.org/download.cgi

   Apache HTTP Server 2.0.64 legacy release is also currently available,
   with the same vulnerability correction as well as many others fixed in
   2.2.16 and earlier releases.  See the corresponding CHANGES files linked
   from the download page.  The Apache HTTP Project developers strongly
   encourage all users to migrate to Apache 2.2, as only limited and less
   frequent maintenance is provided for legacy versions.

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.17 provides the
   complete list of changes since 2.2.16.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.2
   and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
   and zip distributions.  The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.