Does the "Apache Killer" vulnerability affect us?


#1

A new vulnerability in Apache httpd has been discovered: Tool causes Apache web server to freeze (h-online)
Apparently Apache 2.2.* can be knocked out by a single client via a special sequence of HTTP [font=Courier]Range[/font] headers.
Does this affect Dreamhost shared hosting?
If it does, should we or Dreamhost implement the proposed hotfix to disallow multiple Range headers?


#2

We’re aware of the issue, and will be implementing a fix as soon as one is available. The proposed mod_rewrite hotfix isn’t currently suitable, as it would end up blocking a significant amount of legitimate traffic (e.g, download accelerators) as well.


#3

Could this cause a site to report a 301 Moved Permanently (to a malformed destination)?


#4

No.


#5

We’ve now got some measures in place to handle this.