Does the "Apache Killer" vulnerability affect us?


A new vulnerability in Apache httpd has been discovered: Tool causes Apache web server to freeze (h-online)
Apparently Apache 2.2.* can be knocked out by a single client via a special sequence of HTTP [font=Courier]Range[/font] headers.
Does this affect Dreamhost shared hosting?
If it does, should we or Dreamhost implement the proposed hotfix to disallow multiple Range headers?


We’re aware of the issue, and will be implementing a fix as soon as one is available. The proposed mod_rewrite hotfix isn’t currently suitable, as it would end up blocking a significant amount of legitimate traffic (e.g, download accelerators) as well.


Could this cause a site to report a 301 Moved Permanently (to a malformed destination)?




We’ve now got some measures in place to handle this.