aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/nodes/champagne.pp3
-rw-r--r--modules/apache/manifests/CVE-2011-3192.pp8
-rw-r--r--modules/apache/templates/CVE-2011-3192.conf12
3 files changed, 23 insertions, 0 deletions
diff --git a/manifests/nodes/champagne.pp b/manifests/nodes/champagne.pp
index fbb38248..c3b68a85 100644
--- a/manifests/nodes/champagne.pp
+++ b/manifests/nodes/champagne.pp
@@ -15,4 +15,7 @@ node champagne {
include dashboard
include access_classes::web
include openssh::ssh_keys_from_ldap
+
+ # temporary protection for CVE-2011-3192
+ include apache::CVE-2011-3192
}
diff --git a/modules/apache/manifests/CVE-2011-3192.pp b/modules/apache/manifests/CVE-2011-3192.pp
new file mode 100644
index 00000000..c4d12221
--- /dev/null
+++ b/modules/apache/manifests/CVE-2011-3192.pp
@@ -0,0 +1,8 @@
+class apache::CVE-2011-3192 {
+ # temporary protection against CVE-2011-3192
+ # http://httpd.apache.org/security/CVE-2011-3192.txt
+ apache::config {
+ '/etc/httpd/conf.d/CVE-2011-3192.conf':
+ content => template('apache/CVE-2011-3192.conf'),
+ }
+}
diff --git a/modules/apache/templates/CVE-2011-3192.conf b/modules/apache/templates/CVE-2011-3192.conf
new file mode 100644
index 00000000..25751adc
--- /dev/null
+++ b/modules/apache/templates/CVE-2011-3192.conf
@@ -0,0 +1,12 @@
+ # Drop the Range header when more than 5 ranges.
+ # CVE-2011-3192
+ SetEnvIf Range (?:,.*?){5,5} bad-range=1
+ RequestHeader unset Range env=bad-range
+
+ # We always drop Request-Range; as this is a legacy
+ # dating back to MSIE3 and Netscape 2 and 3.
+ #
+ RequestHeader unset Request-Range
+
+ # optional logging.
+ CustomLog logs/range-CVE-2011-3192.log common env=bad-range