This also affects 7.1.7 and 8.0.4. I updated the version range below.
-Bryan
> On Aug 20, 2019, at 11:36 AM, Bryan Call <bcall@apache.org> wrote:
>
> Description:
> ATS is vulnerable to a HTTP/2 attack with empty frames
>
> CVE:
> CVE-2019-9518 Empty Frames Flood
>
> Reported By:
> Piotr Sikora
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.3
> ATS 7.0.0 to 7.1.7
> ATS 8.0.0 to 8.0.4
>
> Mitigation:
> Turn off HTTP/2 or upgrade ATS to a current version
> 6.x users should upgrade to 7.1.8, 8.0.5, or later versions
> 7.x users should upgrade to 7.1.8 or later versions
> 8.x users should upgrade to 8.0.5 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> (Please use backup sites from the link only if the mirrors are unavailable)
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/5850
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
>
> -Bryan
>
>
|