CentOS - Aug 2011 - Apache warns Web server admins of DoS attack tool

Anyone have any idea how soon RHEL and CentOS will be releasing the patch
package?

Excerpt:
Computerworld - Developers of the Apache open-source project today
warned users of the popular Web server software that a denial-of-service
(DoS) tool is circulating that exploits a bug in the program.

The tool, called "Apache Killer," showed up last Friday in a post to
the
"Full Disclosure" security mailing list.

Today, the Apache project acknowledged the vulnerability that the attack
tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in
the next 48 hours.
--- end excerpt ---

<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_admins_of_DoS_attack_tool>

        mark

On 08/25/2011 05:33 PM, m.roth at 5-cent.us wrote:
> Anyone have any idea how soon RHEL and CentOS will be releasing the patch
> package?
keep an eye on this :
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192#c5

- KB

On Thursday 25 Aug 2011, m.roth at 5-cent.us wrote:
> Anyone have any idea how soon RHEL and CentOS will be releasing the patch
> package?
> 
> Excerpt:
> Computerworld - Developers of the Apache open-source project today
> warned users of the popular Web server software that a denial-of-service
> (DoS) tool is circulating that exploits a bug in the program.
> 
> The tool, called "Apache Killer," showed up last Friday in a post
to the
> "Full Disclosure" security mailing list.
> 
> Today, the Apache project acknowledged the vulnerability that the attack
> tool exploits, and said it would release a fix for Apache 2.0 and 2.2 in
> the next 48 hours.
> --- end excerpt ---
> 
>
<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm
> ins_of_DoS_attack_tool>
There are some work-around suggestions here:
http://lwn.net/Articles/456268/

On Thu, 2011-08-25 at 12:33 -0400, m.roth at 5-cent.us
wrote:
> Anyone have any idea how soon RHEL and CentOS will be releasing the patch
> package?
> 
> Excerpt:
> Computerworld - Developers of the Apache open-source project today
> warned users of the popular Web server software that a denial-of-service
> (DoS) tool is circulating that exploits a bug in the program.
>
<http://www.computerworld.com/s/article/9219471/Apache_warns_Web_server_adm
 ins_of_DoS_attack_tool>

There are some work-around suggestions here:
http://lwn.net/Articles/456268/

Thanks Mark for the warning and also to Colin. I am sure CENTOS users
appreciate it. I certainly do.

The temporary fix is shown on several web sites as this, shown below,
added to Apache's conf file:-


          # Drop the Range header when more than 5 ranges.
          # CVE-2011-3192
          SetEnvIf Range (,.*?){5,} bad-range=1
          RequestHeader unset Range env=bad-range
  
          # optional logging.
          CustomLog logs/range-CVE-2011-3192.log common env=bad-range

I've done this on the Apache's main conf file and restarted it. httpd
appear to be working normally on reliable Centos 5.6.

Its great having a Centos mailing list where concerned Centos users can
post news about issues affecting other Centos users, even if the posting
user accidentally forgets to mention which version of Centos is
affected.

Have a nice day everyone.

Paul.

On Fri, Aug 26, 2011 at 9:45 AM, Kenneth Porter <shiva at sewingwitch.com>
wrote:
> I don't see any mention of this in the CentOS announcements forum.
I'd
> consider dropping the mailing list and switching to forums if this kind of
> warning appeared there.
>
> <https://www.centos.org/modules/newbb/viewforum.php?forum=53>
> _______________________________________________


The CentOS forum is pretty useless IMO

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532

On Friday, August 26, 2011 03:02:06 PM Always Learning
wrote:
> On Fri, 2011-08-26 at 14:19 -0400, m.roth at 5-cent.us wrote:
> > And you *are* customizing /etc/httpd/conf/httpd.conf.
> We have D-O-C-U-M-E-N-T-A-T-I-O-N which remains behind we we go home, go
> to lunch and go on holiday.
> > I stay with std. practice, as much as I can.
> I do too but where there are multiple servers using almost the same
> setup, the changeable bits are 'included' and kept in individual
files.
What can you do with this setup that you can't with the standard way of
putting those files, including other includes, in the standard
/etc/httpd/conf.d/ directory?  As the stock httpd.conf is already set up to do
those automatic includes out of /etc/httpd/conf.d/, no customization nor special
documentation is required to handle essentially everything you've said on
this topic.  If you put those individual vhost files in the /etc/httpd/conf.d/
directory, you don't have to do anything at all extra, and you don't
have to document it, since it's already the standard way, which saves you
time and money.  (Or, to paraphrase a common rejoinder in NANOG, 'I
encourage my competitors to do it that way.')

You can have a single file per vhost, no problem, in /etc/httpd/conf.d/.  You
can back it up easily (/etc should be a stock part of everyone's backups,
right?).  You can subinclude, even making a subtree under the /etc/httpd/conf.d/
directory.  And it's all already set up to just work with SELinux and the
other RHEL (RHCE!) documented ways of doing things.   And it IS the standard way
of doing what you're saying is the way you do things.

On 08/26/11 2:16 PM, m.roth at 5-cent.us wrote:
> And, of course, IBM really, *really wants folks to use Linux. I mean, if
> *you*  were Big Blue, would you want to support, uh,
> sys38/4000/RISC6000/AIX/"DOS/VSE/SP/<whatever letters in the last
15
> years)>/MVS/zOS... or just Linux? (You've grown your business, and
need a
> bigger machine? Great! Here's the next large box, just throw it on,
maybe
> just recompile, and no porting needed!)
they still push z/OS (the descendent of OS/370) as a primary mainframe 
OS for large scale database and batch processing, and AIX on Power 
servers for big database servers and such.    Linux still has vertical 
scaling issues for larger workloads, and transaction processing doesn't 
scale well horizontally without massive complications.

System/38 long ago (late 1980s) gave way to AS/400 which is now IBM i 
(aka i5/OS), and runs on the same Power servers as AIX, either 
virtualized or whole-iron.   RS/6000 long ago was renamed pSeries or 
Power, and is hardware, which runs AIX, i, and Linux.

but, i don't believe CentOS runs on Z (descendent of System/370) or 
Power (also known as PowerPC) architectures, so this is all off topic.




-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast

On Sunday, August 28, 2011 06:47:08 PM Les Mikesell
wrote:
> So, if the forums provide a usable rss feed, reading
> them shouldn't be that bad, even though you have to follow the links
> to read longer messages and reply.   
If the forums have useful RSS feeds, yeah, that would work.  I use Kontact; the
default feed reader for Kontact is Akregator, which works reasonably well as
long as the RSS feed is reasonable (that is, you can get all useful content
without having to go to the forum website; if the forum RSS feed requires me to
go to the website for essential things like subjects and thread starters, then
it's unreasonable).

Otherwise I find web forums require a complete change in workflow; that is, I
have to go look at the website and navigate around, with different interfaces,
logins, and paradigms.  I like e-mail when done right (folderized, threaded,
etc).  When done wrong it's useless, too, for that matter.

m.roth at 5-cent.us said the following on 25/08/11
18:33:
> Anyone have any idea how soon RHEL and CentOS will be releasing the patch
> package?
Apparently Apache just released a patch:
https://www.apache.org/dist/httpd/Announcement2.2.html

Source:
http://nakedsecurity.sophos.com/2011/08/31/apache-2-2-20-released-to-fix-dos-vulnerability/


Ciao,
luigi

-- 
/
+--[Luigi Rosa]--
\

Sinclair: Good morning, Lieutenant Commander. Sleep well?
Ivanova: Sleeping is not the problem. Waking up, that is a problem.
   I've always had a hard time getting up when it's dark outside.
Sinclair: But in space it's always dark.
Ivanova: I know. I know.
     --"Signs and Portents"