Apache Fixes Range Header Flaw, Again

← Back to Stories (view on slashdot.org)

Apache Fixes Range Header Flaw, Again

Posted by samzenpus on Wednesday September 14, 2011 @09:09AM from the got-it-this-time dept.

Trailrunner7 writes "Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw. Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability."

21 comments

Min score:

Reason:

Sort:

Quick fixes by Rhodri+Mawr · 2011-09-14 09:27 · Score: 3, Insightful

I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.
1. Re:Quick fixes by Dunbal · 2011-09-14 09:35 · Score: 0, Flamebait
  
  Or Apple's "security flaws? We don't have any security flaws and shutthefuckup or we will sue you to oblivion" policy.
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Quick fixes by Anonymous Coward · 2011-09-14 09:38 · Score: 2, Funny
  
  meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.
  I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.
3. Re:Quick fixes by Anonymous Coward · 2011-09-14 09:42 · Score: 0
  
  i lol'd.
4. Re:Quick fixes by BlortHorc · 2011-09-14 10:14 · Score: 1
  
  I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
  I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.
5. Re:Quick fixes by cavreader · 2011-09-14 16:18 · Score: 1
  
  The percentage of programmers capable of fixing the problems like this themselves is minuscule. Same thing applies to any major open source applications such as browsers. Identifying the flaw, fixing the flaw, and performing regression testing to make sure you have not introduced new problems requires an expert skill set that is quite different than the skill set needed to develop web and console user applications.The easy fixes have been done but the remaining bugs are causing the people who work on these applications full time difficulties.
6. Re:Quick fixes by Anonymous Coward · 2011-09-14 23:29 · Score: 0
  
  citation needed
7. Re:Quick fixes by lee1 · 2011-09-15 03:19 · Score: 1
  
  This is my first time, so I hope I do this right. Here goes:
  
  WHOOOOOOOSH!
8. Re:Quick fixes by cavreader · 2011-09-15 05:55 · Score: 1
  
  Ah! You must be Mr. Super Programmer! The "ability to fix it yourself" has always been one of the least important reasons to support the open source licensing model. The most important benefits have been reducing your problems if your closed source vendor goes out of business leaving you with an unsupported and stagnant application. Open source has also provided a large code base that developers are free to access and use in their own projects. There are a lot more developers who take advantage of this resource for their work but do not contribute their changes back into the community source pool unless absolutely required to by the license type. A lot of developers have no problems with using open sourced code to build applications that are only used internally. There is simply not a lot of non-IT businesses staffed with developers capable of modifying open sourced operating systems, modifying or creating hardware level interfaces, or understanding let alone enhance complex systems like browsers. The most prominent open source systems such as Linux and FireFox use full time dedicated developers working for companies who leverage those systems in their business models. Your average small, medium, or large business developers just use these systems as part of their application stack. They have plenty of sharp application developers and even developers capable of programming at the system level instead of relying solely on framework run times like Java or .NET. to handle the low level abstracted system functionality. Developers capable of realistically and economically able to modify operating systems are rare. Once upon a time C/C++ and Assembly code expertise was a standard requirement in normal business i any type of application development but the bulk of new developers today capable of programming at that level is shrinking. Scripting languages, pre-built frameworks, and client side web programming skills have replaced the need for low level programming skills.
9. Re:Quick fixes by sabt-pestnu · 2011-09-15 07:23 · Score: 1
  
  So what you're saying is "Le mieux est l'ennemi du bien"?
10. Re:Quick fixes by Anonymous Coward · 2011-09-15 09:55 · Score: 0
  
  can't, the post was removed from their forums.
11. Re:Quick fixes by Anonymous Coward · 2011-09-19 03:11 · Score: 0
  
  always fun to troll with no proof isn't it. god you must REALLY hate that computer vendor you do not purchase from.
2.0.65? by PrimaryConsult · 2011-09-14 10:58 · Score: 1

Nice.
I hope the one for 2.0.64 comes out soon... but at the same time I'm glad the 2.2 guys are the guinea pigs seeing regressions and not us :).
1. Re:2.0.65? by thogard · 2011-09-14 11:47 · Score: 1
  
  More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.
2. Re:2.0.65? by Anonymous Coward · 2011-09-14 15:29 · Score: 0
  
  Just upgrade already, jeez.
3. Re:2.0.65? by soundguy · 2011-09-14 16:28 · Score: 1
  
  I still run 2.0 on a handful of servers that use mod_auth_mysql because it apparently doesn't work on 2.2
  
  --
  Nothing worthwhile ever happens before noon
4. Re:2.0.65? by Anonymous Coward · 2011-09-14 19:25 · Score: 0
  
  2.2 has mod_auth_dbd.
Big deal by Anonymous Coward · 2011-09-15 01:18 · Score: 0

All they changed was the response codes because they violated the RFC standard. If it was microsoft or apple they would have said it was a "Feature upgrade", or Adobe they wold have fixed it silently.