Apache Traffic Server update closes important security hole
Version 3.0.4 of Apache Traffic Server, the high performance caching HTTP/1.1 proxy server, has been released, closing a security hole that could be exploited by an attacker to remotely compromise a vulnerable system. An error when parsing a large "Host:" HTTP header can be used to cause a heap-based buffer overflow, which could lead to a denial-of-service (DoS) condition or the execution of arbitrary code. The vulnerability (CVE-2012-0256) was reported to Apache by Codenomicon via CERT-FI and is rated as "Important".
All 2.0.x versions as well as 3.0.x and 3.1.x up to and including 3.0.3 and 3.1.2 are affected. Upgrading to 3.0.4 fixes the problem. The developers have also released an update, version 3.1.3, to the unstable development branch of ATS to fix the security problem and urge all users to upgrade as soon as possible.
More details about the updates, including a full list of bug fixes, can be found in the CERT-FI security advisory, and in the 3.0.4 and 3.1.3 change logs. Versions 3.0.4 and 3.1.3 of Apache Traffic Server are available from the project's download page and documentation is provided. Apache Traffic Server is released under Apache License 2.0.
See also:
- CERT-FI Advisory on Apache Traffic Server, security advisory from CERT-FI.
- Apache Traffic Server releases for security incident CVE-2012-0256, Apache mailing list announcement.
- Apache Traffic Server 3.0.0 goes 64 bit, a report from The H.
(crve)