Differences
This shows you the differences between two versions of the page.
centos_apache_security [2011/10/13 10:33] |
centos_apache_security [2011/10/13 10:33] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== CentOS: Apache Security ====== | ||
+ | |||
+ | * [[Apache]] | ||
+ | * [[Apache Security]] | ||
+ | |||
+ | CentOS 5 ships with Apache 2.2.12 by default. Security releases that affect this version are documented here. | ||
+ | |||
+ | ==== 2.2.20 - Range header DoS vulnerability ==== | ||
+ | |||
+ | * [[http://httpd.apache.org/security/CVE-2011-3192.txt|CVE-2011-3192]] | ||
+ | |||
+ | Denial of service attack. Some mitigation options exist. | ||
+ | |||
+ | == Use mod_headers to completely dis-allow the use of Range headers == | ||
+ | |||
+ | <code> | ||
+ | RequestHeader unset Range | ||
+ | </code> | ||
+ | |||
+ | Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. | ||
+ | |||
+ | Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add: | ||
+ | |||
+ | <code>RequestHeader unset Request-Range</code> | ||
+ | |||
+ | ==== 2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS ==== | ||
+ | |||
+ | Denial of service attack. | ||
+ | |||
+ | Setting the ''IgnoreClient'' option to the ''IndexOptions'' directive disables processing of the client-supplied request query arguments, preventing this attack. | ||
+ | |||
+ | <code>IndexOptions IgnoreClient</code> | ||
+ | |||