Skip to main content
ExLibris
  • Subscribe by RSS
  • ExLibris Dev

    Apache security vulnerability

    • Article Type: General
    • Product: Aleph
    • Product Version: 20

    Description:
    The Apache project has released a security advisory concerning a DOS tool that takes advantage of an un-patched vulnerability in Apache 1.3,
    2.0 and 2.2. The tool creates a DOS condition by sending specially crafted requests that end up consuming memory and CPU usage on the web server, resulting in it becoming unavailable. There is no patch for the issue yet, however, Apache has said that they will make a fix available in the next day or so for 2.0 and 2.2 versions (1.3 is no longer supported). In the meantime, there are mitigation recommendations contained in the advisory:

    http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

    We will pass along the info on the patch when it is released, and we highly recommend deploying the patch ASAP."

    Will Ex Libris be validating the workaround with Aleph, or updating the version of Apache that's bundled with the product? Can we go ahead on our own?

    Resolution:
    Corrected by v20 rep_change 3592:

    Unix files:
    ./alephe/apache/conf/httpd.conf.tml
    ...
    Implementation Notes:

    1. Add the following line to the file ./alephe/apache/conf/httpd.conf, just BEFORE the "Section 2" line:

    RequestHeader unset Range

    2. Restart the Apache server.

    3. Restart the web server.

    <end v20 rep_change 3592>

    Note: The same change could be made in the ./alephe/apache/conf/httpd.conf for Aleph versions 18 and 19 (apache 2.0).

    If you have ARC, the patch should be applied to the ARC ./crn/apache/conf/httpd.conf file on the ARC server, just as it is applied to the
    ./alephe/apache/conf/httpd.conf file.


    • Article last edited: 10/8/2013
    //doorbell.io feedback widged