A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by apache
Apache 1.3 all versions, Apache 2 all versions
Apache web servers that allows a DOS attack.
Vulnerability commonly manifests itself when static content is made available with compression on the fly through mod_deflate - but other modules which buffer and/or generate content in-memory are likely to be affected as well.
The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage.
Apache HTTPD users are advised to investigate whether they are vulnerable (e.g. allow Range headers and use mod_deflate) and consider implementing any of the above mitigations.
There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours.