From ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Thu, 31 May 2012 23:05:13 +0000 Subject: add temporary fix on champagne for CVE-2011-3192 --- manifests/nodes/champagne.pp | 3 +++ modules/apache/manifests/CVE-2011-3192.pp | 8 ++++++++ modules/apache/templates/CVE-2011-3192.conf | 12 ++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 modules/apache/manifests/CVE-2011-3192.pp create mode 100644 modules/apache/templates/CVE-2011-3192.conf diff --git a/manifests/nodes/champagne.pp b/manifests/nodes/champagne.pp index fbb38248..c3b68a85 100644 --- a/manifests/nodes/champagne.pp +++ b/manifests/nodes/champagne.pp @@ -15,4 +15,7 @@ node champagne { include dashboard include access_classes::web include openssh::ssh_keys_from_ldap + + # temporary protection for CVE-2011-3192 + include apache::CVE-2011-3192 } diff --git a/modules/apache/manifests/CVE-2011-3192.pp b/modules/apache/manifests/CVE-2011-3192.pp new file mode 100644 index 00000000..c4d12221 --- /dev/null +++ b/modules/apache/manifests/CVE-2011-3192.pp @@ -0,0 +1,8 @@ +class apache::CVE-2011-3192 { + # temporary protection against CVE-2011-3192 + # http://httpd.apache.org/security/CVE-2011-3192.txt + apache::config { + '/etc/httpd/conf.d/CVE-2011-3192.conf': + content => template('apache/CVE-2011-3192.conf'), + } +} diff --git a/modules/apache/templates/CVE-2011-3192.conf b/modules/apache/templates/CVE-2011-3192.conf new file mode 100644 index 00000000..25751adc --- /dev/null +++ b/modules/apache/templates/CVE-2011-3192.conf @@ -0,0 +1,12 @@ + # Drop the Range header when more than 5 ranges. + # CVE-2011-3192 + SetEnvIf Range (?:,.*?){5,5} bad-range=1 + RequestHeader unset Range env=bad-range + + # We always drop Request-Range; as this is a legacy + # dating back to MSIE3 and Netscape 2 and 3. + # + RequestHeader unset Request-Range + + # optional logging. + CustomLog logs/range-CVE-2011-3192.log common env=bad-range -- cgit v1.2.1