From ff8478731d6a93cd22d06a1c4769bdc095fedaf0 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 25 Aug 2011 19:53:21 -0300
Subject: Mitigation for CVE-2011-3192

---
 templates/apache2.conf.erb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'templates')

diff --git a/templates/apache2.conf.erb b/templates/apache2.conf.erb
index ee28bdc..e387ea8 100644
--- a/templates/apache2.conf.erb
+++ b/templates/apache2.conf.erb
@@ -89,6 +89,13 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
+# Drop the Range header when more than 5 ranges.
+# CVE-2011-3192
+# See http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
+# TODO: remove this when a fix is released
+SetEnvIf Range (,.*?){5,} bad-range=1
+RequestHeader unset Range env=bad-range
+
 ##
 ## Server-Pool Size Regulation (MPM specific)
 ## 
-- 
cgit v1.2.3