Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A0840109B3 for ; Wed, 23 Jul 2014 15:27:11 +0000 (UTC) Received: (qmail 18680 invoked by uid 500); 23 Jul 2014 15:27:11 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 18618 invoked by uid 500); 23 Jul 2014 15:27:11 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 18597 invoked by uid 99); 23 Jul 2014 15:27:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Jul 2014 15:27:11 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 98.139.213.154 is neither permitted nor denied by domain of bcall@yahoo-inc.com) Received: from [98.139.213.154] (HELO nm9-vm0.bullet.mail.bf1.yahoo.com) (98.139.213.154) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Jul 2014 15:27:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1406129202; bh=UhoyJFMdA4DD6gjXceDYkxkNmuCogieVuHe6bt64Crw=; h=Received:Received:Received:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:From:Content-Type:Content-Transfer-Encoding:Subject:Message-Id:Date:To:Mime-Version:X-Mailer; b=ciAYSkMVmXucAjcda8M+ibhkk8IFY4qmltzz7cHAMlKvKDzfRFwsxHjZimG1X9cRnrVW0iFft8nynVjUiH/6l+wJGaL6R4EV/kxow5mI6dxjrVM/q6aPb36wMkwca4YXRGwGbbZfv3DCm2kO0JTv0T1o15zVwNq3frQEMg/mHXM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; b=tbUkiWnbZoddN6+NzALB4a95WKtj2hhZJmL/HAvFOnX8gJRd4MILgXUMqRwMNP9eu5lXTNc1I+HbplUk+LCtM1aSjaTu16htvvdF4iiMNYdB1fA8fA+rZrLFOO+9Hfj89WzwHgs0R1UpO10kmOauLdp7M3YjyQIdIMuzE5k2EiQ=; Received: from [66.196.81.174] by nm9.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jul 2014 15:26:42 -0000 Received: from [98.139.213.11] by tm20.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jul 2014 15:26:42 -0000 Received: from [127.0.0.1] by smtp111.mail.bf1.yahoo.com with NNFMP; 23 Jul 2014 15:26:42 -0000 X-Yahoo-Newman-Id: 630700.91376.bm@smtp111.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: n_hLDJUVM1lFdQ7q4PxtLMalSJBnGEp1tiGD8B8FMY49HYg AwD_uNa2tXs7563ieE5L8UhblamSCRgkIfpjYHK9j0XJIUpFZ9NL3mBfCenB f3fOVgq71W0.lrmAvZLqnuk8IOYlPoGKTq7kWy26vamf2M.su2s37cTfQmuF uWGAFsbYJbce6X8qwcEfJF7Slg6_Pdi39vlM22LZYaQx2XfMl_Tj7G4tVcL6 p5mOeE5x2EIuuOfKWhcU8QdbCHPK8k4zdphXhNPHd1QrnR31wLoNTIKVUndV BWJR4KgMaBkNKyfFgwDozi8BRDA4Px77Hl0clveFNQOUi.nsqgbi2AA0kIJ4 pxXyOpSruCWKg0nfE9HfknSjE7iV4.iKJHWP1xzJfQsb7xcRBFZPDFjV18Iv ExTa3tPQ5AwrV7gzkDc3.nXhWtbeo2omsLFyJQrzZ.nItThcqJjecqjNF7ot 4Mn56efr6CZAu0RfcYBeX2cHHCqX6Uoham4QE9FtgqVe8kDoArqxh9N5pMVx jR2V_oNhpzo246_9DM7H_dnAg8xSSL9LI86cMP4aX56pwoRKYwPl3u1Ckhii 8hdAKoMiYgk_Yo_dcbSygCrYFBS8Xc9j.pNHWAHUBSTCSA6Gwr91YLdRmljW F7imKrHeKtk3Hyg-- X-Yahoo-SMTP: OCINLsuswBA8Tz.dO3DtruIUUGwEFnc- From: Bryan Call Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2014-3525 Message-Id: Date: Wed, 23 Jul 2014 08:26:39 -0700 To: users@trafficserver.apache.org, "" , announce@apache.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Virus-Checked: Checked by ClamAV on apache.org Everyone, Below is our announcement for the security issue reported to us from=20 Yahoo! Japan. All versions of Apache Traffic Server are vulnerable. We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately. There is also a patch for 3.2.5 located under the patches directory and there are no further releases of 3.2.x. The artifacts are available for download at: https://dist.apache.org/repos/dist/release/trafficserver/ -rw-r--r-- 1 bcall bcall 7440366 Jul 23 01:50 = trafficserver-5.0.1.tar.bz2 -rw-r--r-- 1 bcall bcall 819 Jul 23 01:51 = trafficserver-5.0.1.tar.bz2.asc -rw-r--r-- 1 bcall bcall 62 Jul 23 01:50 = trafficserver-5.0.1.tar.bz2.md5 -rw-r--r-- 1 bcall bcall 70 Jul 23 01:50 = trafficserver-5.0.1.tar.bz2.sha1 MD5: 76d5d7fea7ab1e3e1a09169ad0941767 SHA1: 13e6810ed7ad36b66e9dd0b3394fd059062a1f93 -rw-r--r-- 1 bcall bcall 6686865 Jul 23 02:01 = trafficserver-4.2.1.1.tar.bz2 -rw-r--r-- 1 bcall bcall 819 Jul 23 02:01 = trafficserver-4.2.1.1.tar.bz2.asc -rw-r--r-- 1 bcall bcall 64 Jul 23 02:01 = trafficserver-4.2.1.1.tar.bz2.md5 -rw-r--r-- 1 bcall bcall 72 Jul 23 02:01 = trafficserver-4.2.1.1.tar.bz2.sha1 MD5: 7d154544c4953973570b4713a78cb0cb SHA1: 1cd542a52ac7ed71ae95ec40d0076c45df0c5f27 This fixes CVE-2014-3525 and limits access to how the heath checks are performed. We like to thank everyone involved with reporting and working on this=20 incident. Sincerely, -- Bryan, on behalf of the Apache Traffic Server community