lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F6B6649.9000507@apache.org>
Date: Thu, 22 Mar 2012 11:50:01 -0600
From: Leif Hedstrom <zwoop@...che.org>
To: announce@...che.org,
  CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>
CC: dev@...fficserver.apache.org,
  "'users@...fficserver.apache.org'" <users@...fficserver.apache.org>,
  security@...che.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256

Everyone,

Below is our announcement for the security issue reported to us from 
Codenomicon, via CERT-FI. All previous versions of Apache Traffic Server are 
vulnerable, and we urge users to upgrade to either v3.0.4 or v3.1.3 
immediately. Both releases are available from our download site at

     http://trafficserver.apache.org/downloads


In addition to fixing the CVE-2012-0256 issue, both releases include various 
other bug fixes. For more details on those fixes, please visit the download 
site above.


We like to thank everyone involved with reporting and working on this 
incident. The CERT-FI announcement will be made available soon at

     https://www.cert.fi/en/reports/2012/vulnerability612884.html


Sincerely,

-- Leif, on behalf of the Apache Traffic Server community

CVE-2012-0256: Apache Traffic Server host header vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All stable Apache Traffic Server versions released
before v3.0.4, as well as all development releases prior to v3.1.3.

Description: A request with a very large Host: header can cause the server
to crash. This is a heap allocation issue.

Mitigation: All v2.0.x and v3.0.x users should upgrade to v3.0.4. Users of
the current development releases, v3.1.x, should upgrade to v3.1.3.

Credit: This issue was discovered by the Codenomicon CROSS project, and
reported to Apache via CERT-FI.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ