Please note – Apache have released a fix to this issue, and as such the below guidance has now been superseded by their fix.
I have been aware of the Apache web server issue for the last few days, where an overly wide range is requested from the server, leading to a crash in the server. As a patch hasn’t yet been released by Apache, people are coding their own solutions, and one such solution was found at edwiget.name.
That fix was for CentOS based Linux distributions, so this re-write covers how to do the same fix under Debian based distributions.
Check to make sure that the headers module has been installed:
locate mod_headers
Then, add the config above to the headers module:
echo "# As found at http://www.edwiget.name/2011/08/quick-fix-for-apache-cve-2011-3192/ <IfModule mod_headers.c> # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (?:,.*?){5,5} bad-range=1 RequestHeader unset Range env=bad-range # We always drop Request-Range; as this is a legacy # dating back to MSIE3 and Netscape 2 and 3. RequestHeader unset Request-Range # optional logging. CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range </IfModule>" | sudo tee /etc/apache2/mods-available/headers.conf
And lastly, enable the module:
a2enmod headers
EDIT: 2011-08-26 as per Ed’s comment below. Many thanks!
thanks for your feedback. I also updated the SetEnvIf today and added a method for older Netscape as per apache foundation. You should also update your httpd.conf code too. The new code is below (not sure how the format will turn out):
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range