Important Apache Security Release

MatthewEhle · August 31, 2011, 11:03pm

Apache has announced their latest security release:

[ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released](http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/<85111090-501E-4C80-AA8F-DD11B94FDF7C@apache.org>)

This release patches the recently popularized DoS vulnerability with the way Apache handles byte-range requests. This vulnerability has recently taken to the spotlight, thanks to the “Apache Killer” script released last week. Thanks to this script, not only can any script kiddie mess with your Apache server, they can take down your whole system! I am working on manually patching my servers, but I would also like to see this release in the repositories ASAP. Can anyone point me in the right direction on how to get this done? I don’t mind doing work on it myself, but I’m a little lost on who to talk to. I would also like to encourage people to update as soon as they can.

MatthewEhle · August 31, 2011, 11:53pm

By the way, I have submitted a bug for this:

https://bugzilla.novell.com/show_bug.cgi?id=715372

If anyone has suggestions for moving this along, I’ll be happy to hear them.

DenverD · September 1, 2011, 12:00am

On 08/31/2011 11:06 PM, MatthewEhle wrote:
> I don’t mind doing work on it myself, but I’m a little lost on who to
talk to.

openSUSE developers are normally easy to reach on either IRC or mail
list, see here: http://en.opensuse.org/openSUSE:Communication_channels

–
DD
openSUSE®, the “German Engineered Automobile” of operating systems!

malcolmlewis · September 1, 2011, 1:47am

Hi
CVE-2011-3192 has already been dealt with and fixes have been
backported (no reason to upgrade). The bug reference is 713966 which
can’t been seen as it’s security related.

You need to start reviewing the changelogs to verify the backported
fixes

–
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.4 (x86_64) Kernel 2.6.37.6-0.7-desktop
up 1 day 7:03, 5 users, load average: 0.17, 0.11, 0.13
GPU GeForce 8600 GTS Silent - Driver Version: 280.13

Wikinaut · September 3, 2011, 10:22am

I have questions:

When will this be available and distributed in the updates ?
(a general question) How can users compile the original source ( http://apache.copahost.com//httpd/httpd-2.2.20.tar.gz ) so that this fits to the installed version (e.g. on the OpenSuse 11.4 custimization and packages) ?

ken_yap · September 3, 2011, 10:42am

A1: It’s already released. E.g. on a 11.3 system:

Name        : apache2                      Relocations: (not relocatable)
Version     : 2.2.15                            Vendor: openSUSE
Release     : 4.5.1                         Build Date: Thu 01 Sep 2011 10:19:11 AM EST
Install Date: Sat 03 Sep 2011 03:07:37 AM EST      Build Host: build18
Group       : Productivity/Networking/Web/Servers   Source RPM: apache2-2.2.15-4.5.1.src.rpm
Size        : 2224528                          License: ASLv..
Signature   : RSA/8, Thu 01 Sep 2011 10:20:20 AM EST, Key ID b88b2fd43dbdc284
Packager    : [openSUSE:Submitting bug reports - openSUSE](http://bugs.opensuse.org)
URL         : [Welcome! - The Apache HTTP Server Project](http://httpd.apache.org/)
Summary     : The Apache Web Server Version 2.2
Description :
Apache 2, the successor to Apache 1.

A2: Not sure what you mean by Q2. Generally users never have to build their own for important security updates. Even though the openSUSE package shows 2.2.15, rest assured that the fixes have been backported.