Status Tracking Note JVNTR-2011-05

Apache HTTPD 1.3/2.x Range header DoS vulnerability (CVE-2011-3192, JVNVU#405811)

Overview

Apache HTTPD server contains a denial-of-service vulnerability in the way multiple overlapping ranges are handled.
Event Information


Date (UTC)Description
2011-09-15 01:22 JPCERT/CC
JPCERT-AT-2011-0023: Apache HTTP Server DoS Vulnerability
Public notification for "Apache HTTPD Security ADVISORY (UPDATE 3 - FINAL)"
Public notification for "Update (Apache HTTP Server 2.2.21)".
2011-09-14 06:11 Apache
Source code patch
Source code patch released.
CVE-2011-3192-2.2.14-byterange-fixes.patch
CVE-2011-3192-2.2.19-byterange-fixes.patch
CVE-2011-3192-2.0.64-byterange-fixes.patch
2011-09-14 06:06 Apache
Advisory: Range header DoS vulnerability Apache HTTPD prior to 2.2.20.
Security Advisory (UPDATE 3 - FINAL) published.
Apache 2.0 - all versions prior to 2.2.20 and prior to 2.0.65
Apache 1.3 is NOT vulnerable.
2011-09-12 17:02 Apache
Changes with Apache 2.2.21
Update released.: Apache HTTP Server 2.2.21
2011-09-01 11:54 Apache
Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Security Advisory (UPDATE 3 - FINAL) published.
Apache 2.0 - all versions prior to 2.2.20 are vulnerable.
Apache 1.3 is NOT vulnerable.
2011-09-01 06:48 Apache
Bug 51748 - Apache 2.2.20 Range fix regression. Negative value handling
Range fix regression
2011-08-31 05:42 JPCERT/CC
JPCERT-AT-2011-0023: Apache HTTP Server DoS Vulnerability
Public notification for "Security Update (Apache HTTP Server 2.2.20)".
2011-08-30 18:07 Apache
Fixed in Apache httpd 2.2.20
Security Update released.: Apache HTTP Server 2.2.20
2011-08-26 10:35 Apache
Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Security Advisory (UPDATE 2) published.
In addition to the 'Range' header - the 'Range-Request' header is equally affected.
2011-08-26 US-CERT
VU#405811: Apache HTTPD 1.3/2.x Range header DoS vulnerability
Public notification for "Security Advisory (Apache HTTPD Security Advisory Update 2)".
2011-08-24 16:16 Apache
Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Security Advisory published
Apache 1.3 all versions and Apache 2 all versions are vulnerable.
2011-08-19 22:23 Full-disclosure
Apache Killer
Vulnerability proof-of-concept code posted to Mailing List.

Reference

Date first published (UTC): 2011-08-31T22:04+00:00
Date last updated (UTC): 2011-09-19T15:55+00:00
Valid HTML 4.01!