The Apache httpd server team released version 2.2.21! This release fixes a couple security vulnerabilities as well as some other bugs. The vulnerabilities addressed in this release are:
- SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service.
- SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive.
So, yeah, this release further addresses the recently patched Apache Range Header Denial of Service Vulnerability and also introduces a new configuration directive: MaxRanges.
The changelog details everything new and fixed in this release and you can download a copy from a mirror near you.