apache killer에 대한 버그 패치 (3192)에 대한 improved 버전(http://httpd.apache.org/security/CVE-2011-3192.txt)과 새로 발생된 3348 보안 패치에 대해서 apache httpd 쪽에서 패치를 내놓았다.

dos 공격시 문제를 줄인 버그라고 하니. 패치하는 게 좋을 것 같다.

mod_proxy_ajp 모듈이 잘못된 HTTP requests이 요청이 왔을때 문제가 일어날 수 있다.

moderate: mod_proxy_ajp remote DoS CVE-2011-3348

A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service.

Apache HTTP Server 2.2.21 Released 2011-09-13

The Apache HTTP Server Project is proud to announce the release of version 2.2.21 of the Apache HTTP Server ("httpd"). This version is principally a security and bugfix release. Notably, it resolves CVE-2011-3348 and provides further bug fixes to the resolution of CVE-2011-3192 (initially corrected in 2.2.20).

The current advisory for CVE-2011-3192 has been be revised at http://httpd.apache.org/security/CVE-2011-3192.txt and further updates for the community will be published to this url.

This version of httpd is a major release of the stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.

3192에 대한 문제를 원천적으로 해결하기 위해서 이번 버전부터 MaxRange라는 지시자가 새로 생겼다.
최대값은 200이다.

MaxRanges Directive

Description: Number of ranges allowed before returning the complete resource
Syntax: MaxRanges default | unlimited | none | number-of-ranges
Default: MaxRanges 200
Context: server config, virtual host, directory
Status: Core
Module: core
Compatibility: Available in Apache HTTP Server 2.2.21 and later

The MaxRanges directive limits the number of HTTP ranges the server is willing to return to the client. If more ranges then permitted are requested, the complete resource is returned instead.

Limits the number of ranges to a compile-time default of 200.
Range headers are ignored.
The server does not limit the number of ranges it is willing to satisfy.
A positive number representing the maximum number of ranges the server is willing to satisfy.

Posted by '김용환'