Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos_apache_security [2011/10/13 10:33] (current)
Line 1: Line 1:
 +====== CentOS: Apache Security ======
 +
 +  * [[Apache]]
 +  * [[Apache Security]]
 +
 +CentOS 5 ships with Apache 2.2.12 by default. ​ Security releases that affect this version are documented here.
 +
 +==== 2.2.20 - Range header DoS vulnerability ====
 +
 +  * [[http://​httpd.apache.org/​security/​CVE-2011-3192.txt|CVE-2011-3192]]
 +
 +Denial of service attack. ​ Some mitigation options exist.
 +
 +== Use mod_headers to completely dis-allow the use of Range headers ==
 +
 +<​code>​
 +RequestHeader unset Range
 +</​code>​
 +
 +Note that this may break certain clients - such as those used for e-Readers and progressive/​http-streaming video.
 +
 +Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:
 +
 +<​code>​RequestHeader unset Request-Range</​code>​
 +
 +==== 2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS ====
 +
 +Denial of service attack.
 +
 +Setting the ''​IgnoreClient''​ option to the ''​IndexOptions''​ directive disables processing of the client-supplied request query arguments, preventing this attack.
 +
 +<​code>​IndexOptions IgnoreClient</​code>​
 +