The new release of Apache’s version 2.2.21 free web server is a bug fix and security release where the developers focus on the vulnerability that makes servers susceptible to Denial-of-Service (DoS) attacks.
The new version corrects and complements the first fix, released two weeks ago. It corrects an incompatibility with the HTTP definition and changes the interpretation of the MaxRange directive. It also fixes flaws in mod_proxy_ajp, a module that provides support for the Apache JServ protocol.
Users should update their Apache installations as soon as possible.
However, those who use Apache 2.0 will still need to wait: Corrections for this version should incorporate into the release of version 2.0.65 shortly. Those who use version 1.3 will not feel the effect of the byte range bug.
The Apache developers explain the background of the byte range vulnerability in an online document.
There, they also describe various options for protecting servers against DoS attacks that exploit this vulnerability. The document also mentions a ticket on the byte range topic issued by the IETF, which is responsible for the HTTP standard. In this document, the IETF said the protocol itself is vulnerable to DoS attacks, because of, for instance, the potential presence of small or overlapping byte range requests.
Changes to RFC 2616 should correct that issue. The IETF stipulates clients must no longer send overlapping byte ranges, and servers may coalesce such overlapping ranges into a single range. Ranges within a request must separate by a gap greater than 80 bytes, and they must list in ascending order, said the IETF.