diff options
author | Nicolas Vigier <boklm@mageia.org> | 2012-05-31 23:05:13 +0000 |
---|---|---|
committer | Nicolas Vigier <boklm@mageia.org> | 2012-05-31 23:05:13 +0000 |
commit | ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5 (patch) | |
tree | d46f0fc4058c0e5250bc9e16d7a9b26f6bc5c286 | |
parent | 6f99926171e989a0862cded41a1e3fdcdb16c599 (diff) | |
download | puppet-ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5.tar puppet-ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5.tar.gz puppet-ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5.tar.bz2 puppet-ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5.tar.xz puppet-ba8e3a7ad2195b5d7fd6624c988c9d263f1547e5.zip |
add temporary fix on champagne for CVE-2011-3192
-rw-r--r-- | manifests/nodes/champagne.pp | 3 | ||||
-rw-r--r-- | modules/apache/manifests/CVE-2011-3192.pp | 8 | ||||
-rw-r--r-- | modules/apache/templates/CVE-2011-3192.conf | 12 |
3 files changed, 23 insertions, 0 deletions
diff --git a/manifests/nodes/champagne.pp b/manifests/nodes/champagne.pp index fbb38248..c3b68a85 100644 --- a/manifests/nodes/champagne.pp +++ b/manifests/nodes/champagne.pp @@ -15,4 +15,7 @@ node champagne { include dashboard include access_classes::web include openssh::ssh_keys_from_ldap + + # temporary protection for CVE-2011-3192 + include apache::CVE-2011-3192 } diff --git a/modules/apache/manifests/CVE-2011-3192.pp b/modules/apache/manifests/CVE-2011-3192.pp new file mode 100644 index 00000000..c4d12221 --- /dev/null +++ b/modules/apache/manifests/CVE-2011-3192.pp @@ -0,0 +1,8 @@ +class apache::CVE-2011-3192 { + # temporary protection against CVE-2011-3192 + # http://httpd.apache.org/security/CVE-2011-3192.txt + apache::config { + '/etc/httpd/conf.d/CVE-2011-3192.conf': + content => template('apache/CVE-2011-3192.conf'), + } +} diff --git a/modules/apache/templates/CVE-2011-3192.conf b/modules/apache/templates/CVE-2011-3192.conf new file mode 100644 index 00000000..25751adc --- /dev/null +++ b/modules/apache/templates/CVE-2011-3192.conf @@ -0,0 +1,12 @@ + # Drop the Range header when more than 5 ranges. + # CVE-2011-3192 + SetEnvIf Range (?:,.*?){5,5} bad-range=1 + RequestHeader unset Range env=bad-range + + # We always drop Request-Range; as this is a legacy + # dating back to MSIE3 and Netscape 2 and 3. + # + RequestHeader unset Request-Range + + # optional logging. + CustomLog logs/range-CVE-2011-3192.log common env=bad-range |