Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Aug 2018 15:39:51 -0700
From: Bryan Call <bcall@...che.org>
To: announce@...fficserver.apache.org,
 dev <dev@...fficserver.apache.org>,
 users <users@...fficserver.apache.org>,
 security@...fficserver.apache.org,
 oss-security@...ts.openwall.com
Subject: [ANNOUNCE] Apache Traffic Server vulnerability with header variable
 access in the ESI plugin - CVE-2018-8040

CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin

Reported By:
Louis Dion-Marcil

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.2

Description:
Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access.

Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should upgrade to 7.1.3 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads
	Github Pull Request:
		https://github.com/apache/trafficserver/pull/3926
	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040

-Bryan



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.