Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apache Fixes Range Header Flaw, Again

samzenpus posted more than 3 years ago | from the got-it-this-time dept.

Security 21

Trailrunner7 writes "Two weeks after releasing a fix for the range-header denial-of-service flaw that was much-discussed on security forums and mailing lists, the Apache Software Foundation has pushed out another version of its popular Web server that includes a further fix for the same flaw. Apache 2.2.21 has a patch for the CVE-2011-3192 vulnerability that the group previously fixed in late August with the release of version 2.2.20. The vulnerability is an old one that recently resurfaced after a researcher published an advisory on a modified version of the bug and also released a tool capable of exploiting the vulnerability."

cancel ×

21 comments

Sorry! There are no comments related to the filter you selected.

lol (-1)

Anonymous Coward | more than 3 years ago | (#37403550)

lol open source, moar liek OPEN SORES amirite?

Re:lol (-1)

Anonymous Coward | more than 3 years ago | (#37403736)

have u checked your balance at the apple store lately?

Re:lol (-1, Flamebait)

auLucifer (1371577) | more than 3 years ago | (#37403942)

Why's that? Does your mum have a sale on I should know about?

Quick fixes (3, Insightful)

Rhodri Mawr (862554) | more than 3 years ago | (#37403684)

I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.
Compare this to Microsoft's one patch day a month policy which is rarely if ever varied.

Re:Quick fixes (0, Flamebait)

Dunbal (464142) | more than 3 years ago | (#37403796)

Or Apple's "security flaws? We don't have any security flaws and shutthefuckup or we will sue you to oblivion" policy.

Re:Quick fixes (0)

Anonymous Coward | more than 3 years ago | (#37408046)

citation needed

Re:Quick fixes (0)

Anonymous Coward | more than 3 years ago | (#37414734)

can't, the post was removed from their forums.

Re:Quick fixes (0)

Anonymous Coward | more than 3 years ago | (#37442014)

always fun to troll with no proof isn't it. god you must REALLY hate that computer vendor you do not purchase from.

Re:Quick fixes (2, Funny)

Anonymous Coward | more than 3 years ago | (#37403826)

meh, it's open source, why should you wait for apache to fix it for you? You can fix it yourself.

I set up apache on my grandmother's linux computer so she can share photos over webdav (she likes to gimp her pictures). I stopped by a couple days ago to update apache but to my surprise, she had already heard about the bug, downloaded the source code, got a master's degree in computer science, and fixed it herself.

Re:Quick fixes (0)

Anonymous Coward | more than 3 years ago | (#37403886)

i lol'd.

Re:Quick fixes (1)

cavreader (1903280) | more than 3 years ago | (#37406474)

The percentage of programmers capable of fixing the problems like this themselves is minuscule. Same thing applies to any major open source applications such as browsers. Identifying the flaw, fixing the flaw, and performing regression testing to make sure you have not introduced new problems requires an expert skill set that is quite different than the skill set needed to develop web and console user applications.The easy fixes have been done but the remaining bugs are causing the people who work on these applications full time difficulties.

Re:Quick fixes (1)

lee1 (219161) | more than 3 years ago | (#37409956)

This is my first time, so I hope I do this right. Here goes:

WHOOOOOOOSH!

Re:Quick fixes (1)

cavreader (1903280) | more than 3 years ago | (#37412030)

Ah! You must be Mr. Super Programmer! The "ability to fix it yourself" has always been one of the least important reasons to support the open source licensing model. The most important benefits have been reducing your problems if your closed source vendor goes out of business leaving you with an unsupported and stagnant application. Open source has also provided a large code base that developers are free to access and use in their own projects. There are a lot more developers who take advantage of this resource for their work but do not contribute their changes back into the community source pool unless absolutely required to by the license type. A lot of developers have no problems with using open sourced code to build applications that are only used internally. There is simply not a lot of non-IT businesses staffed with developers capable of modifying open sourced operating systems, modifying or creating hardware level interfaces, or understanding let alone enhance complex systems like browsers. The most prominent open source systems such as Linux and FireFox use full time dedicated developers working for companies who leverage those systems in their business models. Your average small, medium, or large business developers just use these systems as part of their application stack. They have plenty of sharp application developers and even developers capable of programming at the system level instead of relying solely on framework run times like Java or .NET. to handle the low level abstracted system functionality. Developers capable of realistically and economically able to modify operating systems are rare. Once upon a time C/C++ and Assembly code expertise was a standard requirement in normal business i any type of application development but the bulk of new developers today capable of programming at that level is shrinking. Scripting languages, pre-built frameworks, and client side web programming skills have replaced the need for low level programming skills.

Re:Quick fixes (1)

BlortHorc (305555) | more than 3 years ago | (#37404286)

I would say that fixing the range header denial of service attack twice is nothing to be ashamed of. Firstly, you get a tested fix out quickly that protects sites that are likely to be under attack [targets]. These early adopters get the fix which stops the attack which is known in the wild. Two weeks later, you get the belt-and-braces fix which fixes the issue even for new variants of the known attack.

I think their response has been more than reasonable, given the actual flaw is a somewhat vaguely worded paragraph in the HTTP RFC regarding multiple requested ranges and how they should be treated. Sometimes the real bug is inherent to the protocol, and all vendors need to work together to seek a sensible remedy.

Re:Quick fixes (1)

sabt-pestnu (967671) | more than 3 years ago | (#37412952)

So what you're saying is "Le mieux est l'ennemi du bien"?

2.0.65? (1)

PrimaryConsult (1546585) | more than 3 years ago | (#37404622)

Nice.

I hope the one for 2.0.64 comes out soon... but at the same time I'm glad the 2.2 guys are the guinea pigs seeing regressions and not us :).

Re:2.0.65? (1)

thogard (43403) | more than 3 years ago | (#37404988)

More people are running 1.3 than 2.0 now. Going from 1.3 to 2.2 with a custom module sometimes means a rewrite but going from 2.0 to 2.2 tends to be updating a few elements in some structures.

Re:2.0.65? (1)

soundguy (415780) | more than 3 years ago | (#37406520)

I still run 2.0 on a handful of servers that use mod_auth_mysql because it apparently doesn't work on 2.2

Re:2.0.65? (0)

Anonymous Coward | more than 3 years ago | (#37407192)

2.2 has mod_auth_dbd.

Re:2.0.65? (0)

Anonymous Coward | more than 3 years ago | (#37406284)

Just upgrade already, jeez.

Big deal (0)

Anonymous Coward | more than 3 years ago | (#37408626)

All they changed was the response codes because they violated the RFC standard. If it was microsoft or apple they would have said it was a "Feature upgrade", or Adobe they wold have fixed it silently.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?