Re: Grave apache dos possible through byterange requests

To: debian-security@lists.debian.org
Subject: Re: Grave apache dos possible through byterange requests
From: Thomas Hungenberg <th+lists-debian@demonium.de>
Date: Sun, 28 Aug 2011 22:27:00 +0200
Message-id: <[🔎] 4E5AA494.8030905@demonium.de>
In-reply-to: <[🔎] 4E5792D8.4050801@igalia.com>
References: <[🔎] 20110826111700.64bfc0f0@sys-251.netcologne.de> <[🔎] 4E577AF0.8080300@igalia.com> <[🔎] 4E5781F4.1030903@fastmail.fm> <[🔎] 4E5792D8.4050801@igalia.com>

Carlos Alberto Lopez Perez wrote:
> The new advisory [1] recommends this:
> 
>          # Drop the Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (?:,.*?){5,5} bad-range=1
>          RequestHeader unset Range env=bad-range
> 
>          # We always drop Request-Range; as this is a legacy
>          # dating back to MSIE3 and Netscape 2 and 3.
>          RequestHeader unset Request-Range
> 
>          # optional logging.
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range

What's the use of the second CustomLog line?
'bad-req-range' is never set, is it?

  - Thomas

Reply to:

References:
- Re: Grave apache dos possible through byterange requests
  - From: Christian Hammers <ch@debian.org>
- Re: Grave apache dos possible through byterange requests
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>
- Re: Grave apache dos possible through byterange requests
  - From: linbloke <linbloke@fastmail.fm>
- Re: Grave apache dos possible through byterange requests
  - From: Carlos Alberto Lopez Perez <clopez@igalia.com>

Prev by Date: Re: Grave apache dos possible through byterange requests
Next by Date: Abwesenheitsnotiz [SECURITY] [DSA 2298-1] apache2 security update
Previous by thread: Re: Grave apache dos possible through byterange requests
Next by thread: Abwesenheitsnotiz [SECURITY] [DSA 2298-1] apache2 security update
Index(es):
- Date
- Thread