<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Bryan Call <bcall () apache org>
Date: Tue, 12 Feb 2019 15:42:35 -0800
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2018-11783: Apache Traffic Server vulnerability with sslheader plugin
Reported By:
Nikhil Marathe
Vendor:
The Apache Software Foundation
Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.5
ATS 8.0.0 to 8.0.1
Description:
sslheaders plugin extracts information from the client certificate and sets headers in the request based on the
configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios.
Mitigation:
6.x users should upgrade to 7.1.6, 8.0.2, or later versions
7.x users should upgrade to 7.1.6 or later versions
8.x users should upgrade to 8.0.2 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads <https://trafficserver.apache.org/downloads>
Github Pull Request:
https://github.com/apache/trafficserver/pull/4701 <https://github.com/apache/trafficserver/pull/4701>
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783>
-Bryan
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin Bryan Call (Feb 13)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->