Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <A9E2B7B3-FCD2-4439-8B86-21C3B1BD5339@apache.org>
Date: Tue, 28 Aug 2018 17:17:01 -0700
From: Bryan Call <bcall@...che.org>
To: users <users@...fficserver.apache.org>
Cc: announce@...fficserver.apache.org,
 dev <dev@...fficserver.apache.org>,
 security@...fficserver.apache.org,
 oss-security@...ts.openwall.com
Subject: Re: [ANNOUNCE] Apache Traffic Server vulnerability with header
 variable access in the ESI plugin - CVE-2018-8040

There was an error in the Version Affected section.  This also effects version 7.1.3 and users running 7.x should upgrade to 7.1.4 or later versions.

Thank you,

-Bryan



> On Aug 28, 2018, at 3:39 PM, Bryan Call <bcall@...che.org> wrote:
> 
> CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin
> 
> Reported By:
> Louis Dion-Marcil
> 
> Vendor:
> The Apache Software Foundation
> 
> Version Affected:
> ATS 6.0.0 to 6.2.2
> ATS 7.0.0 to 7.1.2
> 
> Description:
> Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.
> 
> Mitigation:
> 6.x users should upgrade to 6.2.3 or later versions
> 7.x users should upgrade to 7.1.3 or later versions
> 
> References:
> 	Downloads:
> 		https://trafficserver.apache.org/downloads
> 	Github Pull Request:
> 		https://github.com/apache/trafficserver/pull/3926
> 	CVE:
> 		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040
> 
> -Bryan
> 
> 
> 


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.