Date: Thu, 22 Jan 2015 19:41:21 +1300 From: Matthew Daley <mattd@...fuzz.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE request / advisory: Apache Traffic Server 5.0.0 - 5.1.1 Ping. On 6 January 2015 at 21:42, Matthew Daley <mattd@...fuzz.com> wrote: > Hi, > > I'd like to request a CVE ID for this issue. It was found in Apache > Traffic Server (http://trafficserver.apache.org/), an open-source > caching proxy webserver. > > This is the first such request but the issue has been semi-public for > a few weeks now; this message serves as an advisory as well. (Note > this probably needs a CVE-2014-* ID) > > Affected software: Apache Traffic Server > Description: Receiving a HTTP TRACE request containing a > "Max-Forwards" header with a value of "0" will cause the > traffic_server process to crash with an assertion failure, even in > release builds. > > The parent process, traffic_manager, will restart the traffic_server > process when it sees that it has crashed. However, it takes several > seconds before the new process is ready to handle requests, during > which the server appears unresponsive to the outside world. Also, > traffic_manager will queue incoming requests until the new process is > ready to handle them. These queued requests might consist of more of > the same request that caused the traffic_server process to crash in > the first place. This allows a remote attacker to perform an effective > DoS of the server with very little resources by simply sending the > crashing request repeatedly. > > Affected versions: 5.0.0 - 5.1.1 (5.x.x series before 5.1.2) > Fixed version: 5.1.2 > Bug entry: https://issues.apache.org/jira/browse/TS-3223 > Fix: https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commit;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12 > Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12327089&styleName=Html&projectId=12310963 > Reported by: Matthew Daley > > Please let me know if you need any further information. > > Thanks, > > - Matthew Daley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ