====== CentOS: Apache Security ======

  * [[Apache]]
  * [[Apache Security]]

CentOS 5 ships with Apache 2.2.12 by default.  Security releases that affect this version are documented here.

==== 2.2.20 - Range header DoS vulnerability ====

  * [[http://httpd.apache.org/security/CVE-2011-3192.txt|CVE-2011-3192]]

Denial of service attack.  Some mitigation options exist.

== Use mod_headers to completely dis-allow the use of Range headers ==

<code>
RequestHeader unset Range
</code>

Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.

Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:

<code>RequestHeader unset Request-Range</code>

==== 2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS ====

Denial of service attack.

Setting the ''IgnoreClient'' option to the ''IndexOptions'' directive disables processing of the client-supplied request query arguments, preventing this attack.

<code>IndexOptions IgnoreClient</code>