Full Disclosure mailing list archives
[ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256
From: Leif Hedstrom <zwoop () apache org>
Date: Thu, 22 Mar 2012 11:50:01 -0600
Everyone, Below is our announcement for the security issue reported to us from Codenomicon, via CERT-FI. All previous versions of Apache Traffic Server are vulnerable, and we urge users to upgrade to either v3.0.4 or v3.1.3 immediately. Both releases are available from our download site at http://trafficserver.apache.org/downloads In addition to fixing the CVE-2012-0256 issue, both releases include various other bug fixes. For more details on those fixes, please visit the download site above. We like to thank everyone involved with reporting and working on this incident. The CERT-FI announcement will be made available soon at https://www.cert.fi/en/reports/2012/vulnerability612884.html Sincerely, -- Leif, on behalf of the Apache Traffic Server community CVE-2012-0256: Apache Traffic Server host header vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: All stable Apache Traffic Server versions released before v3.0.4, as well as all development releases prior to v3.1.3. Description: A request with a very large Host: header can cause the server to crash. This is a heap allocation issue. Mitigation: All v2.0.x and v3.0.x users should upgrade to v3.0.4. Users of the current development releases, v3.1.x, should upgrade to v3.1.3. Credit: This issue was discovered by the Codenomicon CROSS project, and reported to Apache via CERT-FI. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256 Leif Hedstrom (Mar 23)