trafficcontrol-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject incubator-trafficcontrol-website git commit: Added CVE-2017-7670 to the security page.
Date Fri, 07 Jul 2017 20:56:39 GMT
Repository: incubator-trafficcontrol-website
Updated Branches:
  refs/heads/master 47fc10c82 -> e90da6421


Added CVE-2017-7670 to the security page.


Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/commit/e90da642
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/tree/e90da642
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/diff/e90da642

Branch: refs/heads/master
Commit: e90da6421906b27de5a40bf0f83ee163cef021c8
Parents: 47fc10c
Author: Jeff Elsloo <jeffrey_elsloo@cable.comcast.com>
Authored: Fri Jul 7 14:56:34 2017 -0600
Committer: Jeff Elsloo <jeffrey_elsloo@cable.comcast.com>
Committed: Fri Jul 7 14:56:34 2017 -0600

----------------------------------------------------------------------
 security/CVE-2017-7670.html | 67 ++++++++++++++++++++++++++++++++++++++++
 security/index.html         |  5 ++-
 2 files changed, 71 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/blob/e90da642/security/CVE-2017-7670.html
----------------------------------------------------------------------
diff --git a/security/CVE-2017-7670.html b/security/CVE-2017-7670.html
new file mode 100644
index 0000000..c5e94a9
--- /dev/null
+++ b/security/CVE-2017-7670.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Traffic Control</title>
+
+    <!-- Bootstrap -->
+    <link href="../css/bootstrap.min.css" rel="stylesheet">
+    <link href="../css/home.css" rel="stylesheet">
+
+  </head>
+  <body>
+    <div class="bkgdWrapper">
+    </div>
+    <div class="appWrapper">
+      <div class="appHeader">
+        <div class="applogo"></div>
+          <div class="navWrapper">
+            <ul>
+              <li class="selected">SECURITY</li>
+              <li class="navMain"><a href="../downloads/index.html">DOWNLOADS</a></li>
+              <li class="navMain"><a href="https://github.com/apache/incubator-trafficcontrol">GIT</a></li>
+              <li class="navMain"><a href="../docs/latest/index.html">DOCS</a></li>
+              <li class="navMain"><a href="../ask/index.html">INFO</a></li>
+              <li class="navMain"><a href="../index.html">HOME</a></li></ul>
+            </ul>
+          </div>
+        </div>
+      <hr/>
+
+	  <div class="sectionContainer">
+	  <h3>CVE-2017-7670: Apache Traffic Control Traffic Router Slowloris Denial of Service
Vulnerability</h3>
+<b>Severity:</b> High
+<br/><br/>
+<b>Vendor:</b>
+<br/>
+The Apache Software Foundation
+<br/><br/>
+<b>Versions Affected:</b>
+<br/>
+Traffic Control 1.8.0
+<br/>
+Traffic Control 2.0.0 RC0
+<br/>
+The unsupported Traffic Control 1.5.x, 1.6.x, and 1.7.x versions may be also affected
+<br/><br/>
+<b>Description:</b>
+<br/>
+The Traffic Router component of the incubating Apache Traffic Control project is vulnerable
to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS
port will remain in the ESTABLISHED state until the client explicitly closes the connection
or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely
and accumulate in number to match the size of the thread pool dedicated to processing DNS
requests, the thread pool becomes exhausted. Once the thread pool is exhausted, Traffic Router
is unable to service any DNS request, regardless of transport protocol.
+<br/><br/>
+<b>Mitigation:</b>
+<br/>
+1.8.x users should upgrade to 1.8.1
+<br/>
+2.0.x users should upgrade to 2.0.0
+<br/>
+Pre 1.8.x users can apply this patch: <a href="https://github.com/apache/incubator-trafficcontrol/commit/738c10fa1b5861e4cc3944dc7c3065d16f4a708c">https://github.com/apache/incubator-trafficcontrol/commit/738c10fa1b5861e4cc3944dc7c3065d16f4a708c</a>
+<br/><br/>
+<b>References:</b>
+<br/>
+<a href="http://trafficcontrol.apache.org/security/index.html">http://trafficcontrol.apache.org/security/index.html</a>
+	  </div>
+    </div>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol-website/blob/e90da642/security/index.html
----------------------------------------------------------------------
diff --git a/security/index.html b/security/index.html
index 3fcac65..65f1401 100644
--- a/security/index.html
+++ b/security/index.html
@@ -32,7 +32,10 @@
 
 	  <div class="sectionContainer">
 	  <h2>Apache Traffic Control Security Updates</h2>
-None at this time.
+      <h3>Traffic Router</h3>
+      <ul>
+        <li><a href="CVE-2017-7670.html">CVE-2017-7670</a></li>
+      </ul>
       <h2>Reporting Vulnerabilities</h2>
 Please use our private security mailing list, <a href="mailto:security@trafficcontrol.incubator.apache.org">security@trafficcontrol.incubator.apache.org</a>,
to disclose any new vulnerability. Disclosing vulnerabilities privately will allow our project
team to analyze the report, identify a fix, and begin the full disclosure process. Please
include all relevant information to reproduce the issue, and any known workaround or fix.
 	  </div>


Mime
View raw message