Apache CVE-2011-3192 対応

先月末に世間を賑わせたRange headerを悪用したDoS攻撃を食らうApacheの脆弱性。
Ubuntuでも対応パッケージがリリースされていたのでインストール。
ウチはUbuntu 10.04LTSを使ってるけど、Apache 2.2.14にパッチを当てたパッケージになっているので細かい動作検証は不要っぽい。
Debianの対応チームに感謝!!

以下、更新パッケージ詳細

apticron report [Sat, 03 Sep 2011 04:40:11 +0900]
========================================================================

apticron has detected that some packages need upgrading on:

kuniharumaki.com

The following packages are currently pending an upgrade:

apache2 2.2.14-5ubuntu8.6
apache2-mpm-prefork 2.2.14-5ubuntu8.6
apache2-prefork-dev 2.2.14-5ubuntu8.6
apache2-utils 2.2.14-5ubuntu8.6
apache2.2-bin 2.2.14-5ubuntu8.6
apache2.2-common 2.2.14-5ubuntu8.6

========================================================================

Package Details:

Reading changelogs…
— Changes for apache2 (apache2 apache2-mpm-prefork apache2-prefork-dev apache2-utils apache2.2-bin apache2.2-common) —
apache2 (2.2.14-5ubuntu8.6) lucid-security; urgency=low

* SECURITY UPDATE: Range header DoS vulnerability
– debian/patches/207_CVE-2011-3192.dpatch: filter out large
byte ranges and improve memory efficiency in handling buckets.
(thanks to Debian and upstream)
– CVE-2011-3192
* Include fix for regressions introduced by above patch:
– debian/patches/208_CVE-2011-3192_regression.dpatch: return 206
and 416 response codes where appropriate (see deban bug 639825)

— Steve BeattieThu, 01 Sep 2011 01:52:17 -0700

========================================================================

You can perform the upgrade by issuing the command:

aptitude full-upgrade

コメント

タイトルとURLをコピーしました