trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2014-3525
Date Thu, 24 Jul 2014 09:26:50 GMT

Am 24.07.2014 11:10, schrieb Jan-Frode Myklebust:
> On Wed, Jul 23, 2014 at 08:26:39AM -0700, Bryan Call wrote:
>> Below is our announcement for the security issue reported to us from 
>> Yahoo! Japan.  All versions of Apache Traffic Server are  vulnerable.
> Is there any information available about this problem, so that we can make
> a judgement on criticality of the upgrade? 

in case of such security anncouncements there is not much to judge
it is a bugfix-only release and should already be deployed

Jul 23 18:20:16 Updated: trafficserver-

> Any reason to believe a properly firewalled trafficserver (only incoming 
> 80/tcp and 443/tcp allowed) should be remotely exploitable?

surely because that is a expected setup and the nature of
a vulerability is to gain more rights as should be possible

View raw message