From announce-return-22-archive-asf-public=cust-asf.ponee.io@trafficserver.apache.org Wed Aug 29 00:52:25 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id E51E4180621 for ; Wed, 29 Aug 2018 00:52:24 +0200 (CEST) Received: (qmail 97270 invoked by uid 500); 28 Aug 2018 22:52:24 -0000 Mailing-List: contact announce-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: announce@trafficserver.apache.org Delivered-To: mailing list announce@trafficserver.apache.org Delivered-To: moderator for announce@trafficserver.apache.org Received: (qmail 68860 invoked by uid 99); 28 Aug 2018 22:39:56 -0000 From: Bryan Call Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Reply-To: users Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: [ANNOUNCE] Apache Traffic Server vulnerability with method ACLs - CVE-2018-1318 Message-Id: <6371D290-EB1B-44E6-97D0-DCBF27ACAFA1@apache.org> Date: Tue, 28 Aug 2018 15:39:48 -0700 To: announce@trafficserver.apache.org, dev , users , security@trafficserver.apache.org, oss-security@lists.openwall.com X-Mailer: Apple Mail (2.3445.9.1) CVE-2018-1318: Apache Traffic Server vulnerability with method ACLs Reported By: Leif Hedstrom Vendor: The Apache Software Foundation Version Affected: ATS 6.0.0 to 6.2.2 ATS 7.0.0 to 7.1.3 Description: Adding method ACLs in remap.config can cause a segfault when the user = makes a carefully crafted request.=20 Mitigation: 6.x users should upgrade to 6.2.3 or later versions 7.x users should upgrade to 7.1.4 or later versions References: Downloads: https://trafficserver.apache.org/downloads Github Pull Request: https://github.com/apache/trafficserver/pull/3195 CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2018-1318= -Bryan