Bug 714306

Summary: Range header DoS vulnerability Apache HTTPD CVE-2011-3192
Product: [openSUSE] openSUSE 11.4 Reporter: Sebastian Siebert <freespacer>
Component: ApacheAssignee: Security Team bot <security-team>
Status: VERIFIED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: security-team
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Siebert 2011-08-25 20:55:26 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0

This vulnerability of Apache is public now. We need the patch from the Apache developers to fix the potentially DoS issue of Apache. The patch comes surely very next day.

http://www.h-online.com/open/news/item/Tool-causes-Apache-web-server-to-freeze-Update-1330105.html

http://article.gmane.org/gmane.comp.apache.announce/58

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

We should apply the patch ASAP in
- openSUSE 11.3
- openSUSE 11.4
- Apache Repository (http://download.opensuse.org/repositories/Apache)


Reproducible: Always

Steps to Reproduce:
1. Send an insane range header

Actual Results:  
Out of memory

Expected Results:  
It does not run into an out of memory
Comment 1 Matthias Weckbecker 2011-08-26 13:45:07 UTC
Looks like a dupe of bnc#713966.

*** This bug has been marked as a duplicate of bug 713966 ***