Bug 715372 - Apache Security Release
Apache Security Release
Status: RESOLVED DUPLICATE of bug 713966
Classification: openSUSE
Product: openSUSE 11.4
Classification: openSUSE
Component: Apache
All SLES 11
: P5 - None : Critical (vote)
: ---
Assigned To: E-mail List
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2011-08-31 21:51 UTC by Matthew Ehle
Modified: 2011-09-01 08:31 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Ehle 2011-08-31 21:51:36 UTC
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.1) Gecko/20100101 Firefox/6.0.1

Apache recently released 2.2.20, which is an important security fix.  Please get this in the repositories as soon as possible.

Apache releases prior to this are vulnerable to a DoS attack that takes advantage of the way Apache handles the byte-range header.  An attacker can use this method to quickly take down Apache and seize up the whole server, sometimes requiring a reboot of the machine.

Reproducible: Always

Steps to Reproduce:
1. Download and run the Apache Killer script (http://seclists.org/fulldisclosure/2011/Aug/att-175/killapache_pl.bin)
2. Wait 30-60 seconds
Actual Results:  
Apache will start swapping to disk and the whole server will become unresponsive for a long time.

Expected Results:  
The new release ignores abusive byte-range headers and serves up the whole document.
Comment 1 Marcus Meissner 2011-09-01 08:31:45 UTC

*** This bug has been marked as a duplicate of bug 713966 ***