CentOS: Apache Security

CentOS 5 ships with Apache 2.2.12 by default. Security releases that affect this version are documented here.

2.2.20 - Range header DoS vulnerability

Denial of service attack. Some mitigation options exist.

Use mod_headers to completely dis-allow the use of Range headers
RequestHeader unset Range

Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.

Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:

RequestHeader unset Request-Range

2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS

Denial of service attack.

Setting the IgnoreClient option to the IndexOptions directive disables processing of the client-supplied request query arguments, preventing this attack.

IndexOptions IgnoreClient