oss-security - [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-Id: <13C54619-BA67-4F58-A340-DECA0E9848DB@apache.org>
Date: Tue, 28 Aug 2018 15:39:49 -0700
From: Bryan Call <bcall@...che.org>
To: announce@...fficserver.apache.org,
 dev <dev@...fficserver.apache.org>,
 users <users@...fficserver.apache.org>,
 security@...fficserver.apache.org,
 oss-security@...ts.openwall.com
Subject: [ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP
 smuggling and cache poisoning attacks - CVE-2018-8004

CVE-2018-8004: Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks

Reported By:
Régis Leroy

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.3

Description:
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with ATS.

Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should upgrade to 7.1.4 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads
	Github Pull Request:
		https://github.com/apache/trafficserver/pull/3192
		https://github.com/apache/trafficserver/pull/3201
		https://github.com/apache/trafficserver/pull/3231
		https://github.com/apache/trafficserver/pull/3251
	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8004

-Bryan

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.