Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Fixes Range Header Flaw, Again

Posted by samzenpus on from the got-it-this-time dept.

Trailrunner7 writes "Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw. Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability."

2 of 21 comments (clear)

  1. Quick fixes by Rhodri+Mawr · · Score: 3, Insightful

    I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
    Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.

    1. Re:Quick fixes by Anonymous Coward · · Score: 2, Funny

      meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.

      I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.