m.roth at 5-cent.us
2011-Aug-25 16:33 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
Anyone have any idea how soon RHEL and CentOS will be releasing the patch package? Excerpt: Computerworld - Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program. The tool, called "Apache Killer," showed up last Friday in a post to the "Full Disclosure" security mailing list. Today, the Apache project acknowledged the vulnerability that the attack tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. --- end excerpt --- <http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool> mark
Karanbir Singh
2011-Aug-25 16:35 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On 08/25/2011 05:33 PM, m.roth at 5-cent.us wrote:> Anyone have any idea how soon RHEL and CentOS will be releasing the patch > package?keep an eye on this : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192#c5 - KB
Colin Coles
2011-Aug-25 16:49 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On Thursday 25 Aug 2011, m.roth at 5-cent.us wrote:> Anyone have any idea how soon RHEL and CentOS will be releasing the patch > package? > > Excerpt: > Computerworld - Developers of the Apache open-source project today > warned users of the popular Web server software that a denial-of-service > (DoS) tool is circulating that exploits a bug in the program. > > The tool, called "Apache Killer," showed up last Friday in a post to the > "Full Disclosure" security mailing list. > > Today, the Apache project acknowledged the vulnerability that the attack > tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in > the next 48 hours. > --- end excerpt --- > > <http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm > ins_of_DoS_attack_tool>There are some work-around suggestions here: http://lwn.net/Articles/456268/
Always Learning
2011-Aug-25 19:09 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On Thu, 2011-08-25 at 12:33 -0400, m.roth at 5-cent.us wrote:> Anyone have any idea how soon RHEL and CentOS will be releasing the patch > package? > > Excerpt: > Computerworld - Developers of the Apache open-source project today > warned users of the popular Web server software that a denial-of-service > (DoS) tool is circulating that exploits a bug in the program.><http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm ins_of_DoS_attack_tool> There are some work-around suggestions here: http://lwn.net/Articles/456268/ Thanks Mark for the warning and also to Colin. I am sure CENTOS users appreciate it. I certainly do. The temporary fix is shown on several web sites as this, shown below, added to Apache's conf file:- # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range # optional logging. CustomLog logs/range-CVE-2011-3192.log common env=bad-range I've done this on the Apache's main conf file and restarted it. httpd appear to be working normally on reliable Centos 5.6. Its great having a Centos mailing list where concerned Centos users can post news about issues affecting other Centos users, even if the posting user accidentally forgets to mention which version of Centos is affected. Have a nice day everyone. Paul.
Rudi Ahlers
2011-Aug-26 08:01 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On Fri, Aug 26, 2011 at 9:45 AM, Kenneth Porter <shiva at sewingwitch.com> wrote:> I don't see any mention of this in the CentOS announcements forum. I'd > consider dropping the mailing list and switching to forums if this kind of > warning appeared there. > > <https://www.centos.org/modules/newbb/viewforum.php?forum=53> > _______________________________________________The CentOS forum is pretty useless IMO -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532
Lamar Owen
2011-Aug-26 19:13 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On Friday, August 26, 2011 03:02:06 PM Always Learning wrote:> On Fri, 2011-08-26 at 14:19 -0400, m.roth at 5-cent.us wrote: > > And you *are* customizing /etc/httpd/conf/httpd.conf.> We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go > to lunch and go on holiday.> > I stay with std. practice, as much as I can.> I do too but where there are multiple servers using almost the same > setup, the changeable bits are 'included' and kept in individual files.What can you do with this setup that you can't with the standard way of putting those files, including other includes, in the standard /etc/httpd/conf.d/ directory? As the stock httpd.conf is already set up to do those automatic includes out of /etc/httpd/conf.d/, no customization nor special documentation is required to handle essentially everything you've said on this topic. If you put those individual vhost files in the /etc/httpd/conf.d/ directory, you don't have to do anything at all extra, and you don't have to document it, since it's already the standard way, which saves you time and money. (Or, to paraphrase a common rejoinder in NANOG, 'I encourage my competitors to do it that way.') You can have a single file per vhost, no problem, in /etc/httpd/conf.d/. You can back it up easily (/etc should be a stock part of everyone's backups, right?). You can subinclude, even making a subtree under the /etc/httpd/conf.d/ directory. And it's all already set up to just work with SELinux and the other RHEL (RHCE!) documented ways of doing things. And it IS the standard way of doing what you're saying is the way you do things.
John R Pierce
2011-Aug-26 22:38 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On 08/26/11 2:16 PM, m.roth at 5-cent.us wrote:> And, of course, IBM really, *really wants folks to use Linux. I mean, if > *you* were Big Blue, would you want to support, uh, > sys38/4000/RISC6000/AIX/"DOS/VSE/SP/<whatever letters in the last 15 > years)>/MVS/zOS... or just Linux? (You've grown your business, and need a > bigger machine? Great! Here's the next large box, just throw it on, maybe > just recompile, and no porting needed!)they still push z/OS (the descendent of OS/370) as a primary mainframe OS for large scale database and batch processing, and AIX on Power servers for big database servers and such. Linux still has vertical scaling issues for larger workloads, and transaction processing doesn't scale well horizontally without massive complications. System/38 long ago (late 1980s) gave way to AS/400 which is now IBM i (aka i5/OS), and runs on the same Power servers as AIX, either virtualized or whole-iron. RS/6000 long ago was renamed pSeries or Power, and is hardware, which runs AIX, i, and Linux. but, i don't believe CentOS runs on Z (descendent of System/370) or Power (also known as PowerPC) architectures, so this is all off topic. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
Lamar Owen
2011-Aug-29 15:21 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
On Sunday, August 28, 2011 06:47:08 PM Les Mikesell wrote:> So, if the forums provide a usable rss feed, reading > them shouldn't be that bad, even though you have to follow the links > to read longer messages and reply.If the forums have useful RSS feeds, yeah, that would work. I use Kontact; the default feed reader for Kontact is Akregator, which works reasonably well as long as the RSS feed is reasonable (that is, you can get all useful content without having to go to the forum website; if the forum RSS feed requires me to go to the website for essential things like subjects and thread starters, then it's unreasonable). Otherwise I find web forums require a complete change in workflow; that is, I have to go look at the website and navigate around, with different interfaces, logins, and paradigms. I like e-mail when done right (folderized, threaded, etc). When done wrong it's useless, too, for that matter.
Luigi Rosa
2011-Aug-31 08:12 UTC
[CentOS] Apache warns Web server admins of DoS attack tool
m.roth at 5-cent.us said the following on 25/08/11 18:33:> Anyone have any idea how soon RHEL and CentOS will be releasing the patch > package?Apparently Apache just released a patch: https://www.apache.org/dist/httpd/Announcement2.2.html Source: http://nakedsecurity.sophos.com/2011/08/31/apache-2-2-20-released-to-fix-dos-vulnerability/ Ciao, luigi -- / +--[Luigi Rosa]-- \ Sinclair: Good morning, Lieutenant Commander. Sleep well? Ivanova: Sleeping is not the problem. Waking up, that is a problem. I've always had a hard time getting up when it's dark outside. Sinclair: But in space it's always dark. Ivanova: I know. I know. --"Signs and Portents"