System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

HPWS --> Apache 2.2.20 Update for CVE-2011-3192

 
bsekleckiFedex
Occasional Contributor

HPWS --> Apache 2.2.20 Update for CVE-2011-3192

When will HP Update HPWS to solve CVE-2011-3192 ?  Upgrading it to 2.2.20 is the right thing to do, but I don't actually expect that.


Instead, pull a Redhat and patch it.

 

The work-arounds work, but that kills file-seeking on streams and resume downloads.


~BAS

 

----

Date: Wed, 31 Aug 2011 07:21:49 -0400
From: Jim Jagielski <jim@apache.org>
To: announce@apache.org
Subject: [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released

 

Apache HTTP Server 2.2.20 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.20 of the Apache HTTP Server ("Apache").  This version of Apache is principally a security and bug fix release:

 

* SECURITY: CVE-2011-3192 (cve.mitre.org)
 core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than  the original file, ignore the ranges and send the complete file. PR 51714.

 


We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.


Brian A Seklecki
Fedex Services