Apache HTTP Server 2.2.20 fixes DoS vulnerability
The Apache Software Foundation has announced the release of version 2.2.20 of the open source Apache HTTP Server (httpd). The maintenance and security update addresses a previously reported denial-of-service (DoS) vulnerability (CVE-2011-3192) that could be exploited by an attacker from a single PC.
The remotely exploitable flaw was found in the way that multiple overlapping ranges are handled by httpd. Last week, a tool – an "Apache Killer" Perl script – was made publicly available on the Full Disclosure mailing list to demonstrate the problem. Using a modest number of requests, the tool can "cause very significant memory and CPU usage on the server".
According to the project's security advisory, Apache HTTP Server 1.3.x and 2.x.x to 2.2.19 are affected; updating to 2.2.20 fixes the flaw. As active use of the Apache Killer tool has been observed, the developers encourage all users to upgrade to the latest version.
Further information about the update can be found in the official release announcement and in the change log. At the time of writing, the project's home page, official download page and the Apache httpd 2.2 vulnerabilities page have yet to be updated with details of the release. Apache HTTP Server 2.2.20 is available to download from the project's archive page.
- Range header DoS vulnerability Apache HTTPD 1.3/2.x, Apache security advisory.
- Another DoS fix for Apache HTTP server, a report from The H.