Date: Tue, 28 Aug 2018 15:39:51 -0700 From: Bryan Call <bcall@...che.org> To: announce@...fficserver.apache.org, dev <dev@...fficserver.apache.org>, users <users@...fficserver.apache.org>, security@...fficserver.apache.org, oss-security@...ts.openwall.com Subject: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040 CVE-2018-8040: Apache Traffic Server vulnerability with header variable access in the ESI plugin Reported By: Louis Dion-Marcil Vendor: The Apache Software Foundation Version Affected: ATS 6.0.0 to 6.2.2 ATS 7.0.0 to 7.1.2 Description: Pages that are rendered using the ESI plugin can have access to the cookie header when the plugin is configure not to allow access. Mitigation: 6.x users should upgrade to 6.2.3 or later versions 7.x users should upgrade to 7.1.3 or later versions References: Downloads: https://trafficserver.apache.org/downloads Github Pull Request: https://github.com/apache/trafficserver/pull/3926 CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8040 -Bryan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.