HPE Community
Operating System - HP-UX
1753952 Members
8132 Online
108811 Solutions
New Discussion

HPWS --> Apache 2.2.20 Update for CVE-2011-3192

 
bsekleckiFedex
Occasional Contributor

‎08-31-2011 05:36 AM - edited ‎08-31-2011 05:38 AM

‎08-31-2011 05:36 AM - edited ‎08-31-2011 05:38 AM

HPWS --> Apache 2.2.20 Update for CVE-2011-3192

When will HP Update HPWS to solve CVE-2011-3192 ?  Upgrading it to 2.2.20 is the right thing to do, but I don't actually expect that.


Instead, pull a Redhat and patch it.

 

The work-arounds work, but that kills file-seeking on streams and resume downloads.


~BAS

 

----

Date: Wed, 31 Aug 2011 07:21:49 -0400
From: Jim Jagielski <jim@apache.org>
To: announce@apache.org
Subject: [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released

 

Apache HTTP Server 2.2.20 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.20 of the Apache HTTP Server ("Apache").  This version of Apache is principally a security and bug fix release:

 

* SECURITY: CVE-2011-3192 (cve.mitre.org)
 core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than  the original file, ignore the ranges and send the complete file. PR 51714.

 


We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.


Brian A Seklecki
Fedex Services
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.