Bluehost.com Web Hosting $6.95

apache 1.3.34 security fix question

This is a discussion on apache 1.3.34 security fix question within the Linux Web Servers forums, part of the Web Server and Related Forums category; In the change log for apache 1.3.34 it states: SECURITY: core: If a request contains both Transfer-Encoding ...


Go Back   Usenet Forums > Web Server and Related Forums > Linux Web Servers

Reload this Page apache 1.3.34 security fix question

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 10-18-2005
Jeff Long
 
Posts: n/a
Default apache 1.3.34 security fix question
In the change log for apache 1.3.34 it states:

SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]

From all of my research I can't tell if this fix really is only needed
when 1.3.x is being used as a proxy server or if it also takes care of
security problems when 1.3.x is being used as an endpoint.

Does anyone have an authoritative answer to this?

Thanks,

Jeff Long
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 05:50 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0