Table of Contents
CentOS: Apache Security
CentOS 5 ships with Apache 2.2.12 by default. Security releases that affect this version are documented here.
2.2.20 - Range header DoS vulnerability
Denial of service attack. Some mitigation options exist.
Use mod_headers to completely dis-allow the use of Range headers
RequestHeader unset Range
Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.
Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:
RequestHeader unset Request-Range
2.2.19 - apr_fnmatch flaw leads to mod_autoindex remote DoS
Denial of service attack.
Setting the IgnoreClient
option to the IndexOptions
directive disables processing of the client-supplied request query arguments, preventing this attack.
IndexOptions IgnoreClient