Differences
This shows you the differences between two versions of the page.
| — |
centos_apache_security [2011/10/13 10:33] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== CentOS: Apache Security ====== | ||
| + | |||
| + | * [[Apache]] | ||
| + | * [[Apache Security]] | ||
| + | |||
| + | CentOS 5 ships with Apache 2.2.12 by default. Security releases that affect this version are documented here. | ||
| + | |||
| + | ==== 2.2.20 - Range header DoS vulnerability ==== | ||
| + | |||
| + | * [[http://httpd.apache.org/security/CVE-2011-3192.txt|CVE-2011-3192]] | ||
| + | |||
| + | Denial of service attack. Some mitigation options exist. | ||
| + | |||
| + | == Use mod_headers to completely dis-allow the use of Range headers == | ||
| + | |||
| + | <code> | ||
| + | RequestHeader unset Range | ||
| + | </code> | ||
| + | |||
| + | Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. | ||
| + | |||
| + | Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add: | ||
| + | |||
| + | <code>RequestHeader unset Request-Range</code> | ||
| + | |||
| + | ==== 2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS ==== | ||
| + | |||
| + | Denial of service attack. | ||
| + | |||
| + | Setting the ''IgnoreClient'' option to the ''IndexOptions'' directive disables processing of the client-supplied request query arguments, preventing this attack. | ||
| + | |||
| + | <code>IndexOptions IgnoreClient</code> | ||
| + | |||
