trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@yahoo-inc.com>
Subject [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2014-3525
Date Wed, 23 Jul 2014 15:26:39 GMT
Everyone,

Below is our announcement for the security issue reported to us from 
Yahoo! Japan.  All versions of Apache Traffic Server are  vulnerable.
We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately.  There
is also a patch for 3.2.5 located under the patches directory and there
are no further releases of 3.2.x.

The artifacts are available for download at:
https://dist.apache.org/repos/dist/release/trafficserver/

-rw-r--r--  1 bcall  bcall  7440366 Jul 23 01:50 trafficserver-5.0.1.tar.bz2
-rw-r--r--  1 bcall  bcall      819 Jul 23 01:51 trafficserver-5.0.1.tar.bz2.asc
-rw-r--r--  1 bcall  bcall       62 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.md5
-rw-r--r--  1 bcall  bcall       70 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.sha1

MD5: 76d5d7fea7ab1e3e1a09169ad0941767
SHA1: 13e6810ed7ad36b66e9dd0b3394fd059062a1f93

-rw-r--r--  1 bcall  bcall  6686865 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2
-rw-r--r--  1 bcall  bcall      819 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.asc
-rw-r--r--  1 bcall  bcall       64 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.md5
-rw-r--r--  1 bcall  bcall       72 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.sha1

MD5: 7d154544c4953973570b4713a78cb0cb
SHA1: 1cd542a52ac7ed71ae95ec40d0076c45df0c5f27

This fixes CVE-2014-3525 and limits access to how the heath checks
are performed.


We like to thank everyone involved with reporting and working on this 
incident.


Sincerely,

-- Bryan, on behalf of the Apache Traffic Server community

Mime
View raw message