trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject [ANNOUNCE] Apache Traffic Server vulnerability with sslheader plugin
Date Tue, 12 Feb 2019 23:25:21 GMT
CVE-2018-11783: Apache Traffic Server vulnerability with sslheader plugin

Reported By:
Nikhil Marathe

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.5
ATS 8.0.0 to 8.0.1

Description:
sslheaders plugin extracts information from the client certificate and sets headers in the
request based on the configuration of the plugin.  The plugin doesn't strip the headers from
the request in some scenarios.

Mitigation:
6.x users should upgrade to 7.1.6, 8.0.2, or later versions
7.x users should upgrade to 7.1.6 or later versions
8.x users should upgrade to 8.0.2 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads <https://trafficserver.apache.org/downloads>
	Github Pull Request:
		https://github.com/apache/trafficserver/pull/4701
	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783>

-Bryan




Mime
View raw message