trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan-Frode Myklebust <janfr...@tanso.net>
Subject Re: [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2014-3525
Date Thu, 24 Jul 2014 09:41:17 GMT
On Thu, Jul 24, 2014 at 11:26:50AM +0200, Reindl Harald wrote:
> 
> > Is there any information available about this problem, so that we can make
> > a judgement on criticality of the upgrade? 
> 
> in case of such security anncouncements there is not much to judge
> it is a bugfix-only release and should already be deployed

There are testing and procedures involved in doing changes to core
services like ATS in our company. Can't just upgrade willy-nilly..

> 
> > Any reason to believe a properly firewalled trafficserver (only incoming 
> > 80/tcp and 443/tcp allowed) should be remotely exploitable?
> 
> surely because that is a expected setup and the nature of
> a vulerability is to gain more rights as should be possible

Did you read the patch? Looks to me like it's just a change of
listening on ANY:8083 to LOOPBACK:8083 for some service, which
doesn't seem like much a change for a firewalled host.. Unless I'm
missing something..



  -jf

Mime
View raw message