3 files changed, 23 insertions, 0 deletions

diff --git a/manifests/nodes/champagne.pp b/manifests/nodes/champagne.pp
index fbb38248..c3b68a85 100644
--- a/manifests/nodes/champagne.pp
+++ b/manifests/nodes/champagne.pp
@@ -15,4 +15,7 @@ node champagne {
     include dashboard
     include access_classes::web
     include openssh::ssh_keys_from_ldap
+
+    # temporary protection for CVE-2011-3192
+    include apache::CVE-2011-3192
 }
diff --git a/modules/apache/manifests/CVE-2011-3192.pp b/modules/apache/manifests/CVE-2011-3192.pp
new file mode 100644
index 00000000..c4d12221
--- /dev/null
+++ b/modules/apache/manifests/CVE-2011-3192.pp
@@ -0,0 +1,8 @@
+class apache::CVE-2011-3192 {
+    # temporary protection against CVE-2011-3192
+    # http://httpd.apache.org/security/CVE-2011-3192.txt
+    apache::config {
+	'/etc/httpd/conf.d/CVE-2011-3192.conf':
+	    content => template('apache/CVE-2011-3192.conf'),
+    }
+}
diff --git a/modules/apache/templates/CVE-2011-3192.conf b/modules/apache/templates/CVE-2011-3192.conf
new file mode 100644
index 00000000..25751adc
--- /dev/null
+++ b/modules/apache/templates/CVE-2011-3192.conf
@@ -0,0 +1,12 @@
+          # Drop the Range header when more than 5 ranges.
+          # CVE-2011-3192
+          SetEnvIf Range (?:,.*?){5,5} bad-range=1
+          RequestHeader unset Range env=bad-range
+
+          # We always drop Request-Range; as this is a legacy
+          # dating back to MSIE3 and Netscape 2 and 3.
+          #
+          RequestHeader unset Request-Range
+
+          # optional logging.
+          CustomLog logs/range-CVE-2011-3192.log common env=bad-range