In association with heise online

26 March 2012, 15:00

Apache Traffic Server update closes important security hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apache Traffic Server logo Version 3.0.4 of Apache Traffic Server, the high performance caching HTTP/1.1 proxy server, has been released, closing a security hole that could be exploited by an attacker to remotely compromise a vulnerable system. An error when parsing a large "Host:" HTTP header can be used to cause a heap-based buffer overflow, which could lead to a denial-of-service (DoS) condition or the execution of arbitrary code. The vulnerability (CVE-2012-0256) was reported to Apache by Codenomicon via CERT-FI and is rated as "Important".

All 2.0.x versions as well as 3.0.x and 3.1.x up to and including 3.0.3 and 3.1.2 are affected. Upgrading to 3.0.4 fixes the problem. The developers have also released an update, version 3.1.3, to the unstable development branch of ATS to fix the security problem and urge all users to upgrade as soon as possible.

More details about the updates, including a full list of bug fixes, can be found in the CERT-FI security advisory, and in the 3.0.4 and 3.1.3 change logs. Versions 3.0.4 and 3.1.3 of Apache Traffic Server are available from the project's download page and documentation is provided. Apache Traffic Server is released under Apache License 2.0.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit