https://bugzilla.novell.com/show_bug.cgi?id=715372 https://bugzilla.novell.com/show_bug.cgi?id=715372#c0 Summary: Apache Security Release Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: All OS/Version: SLES 11 Status: NEW Severity: Critical Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: mattehle@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.1) Gecko/20100101 Firefox/6.0.1 Apache recently released 2.2.20, which is an important security fix. Please get this in the repositories as soon as possible. Apache releases prior to this are vulnerable to a DoS attack that takes advantage of the way Apache handles the byte-range header. An attacker can use this method to quickly take down Apache and seize up the whole server, sometimes requiring a reboot of the machine. Reproducible: Always Steps to Reproduce: 1. Download and run the Apache Killer script (http://seclists.org/fulldisclosure/2011/Aug/att-175/killapache_pl.bin) 2. Wait 30-60 seconds Actual Results: Apache will start swapping to disk and the whole server will become unresponsive for a long time. Expected Results: The new release ignores abusive byte-range headers and serves up the whole document. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.