Everyone,
Below is our announcement for the security issue reported to us from
Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately. There
is also a patch for 3.2.5 located under the patches directory and there
are no further releases of 3.2.x.
The artifacts are available for download at:
https://dist.apache.org/repos/dist/release/trafficserver/
-rw-r--r-- 1 bcall bcall 7440366 Jul 23 01:50 trafficserver-5.0.1.tar.bz2
-rw-r--r-- 1 bcall bcall 819 Jul 23 01:51 trafficserver-5.0.1.tar.bz2.asc
-rw-r--r-- 1 bcall bcall 62 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.md5
-rw-r--r-- 1 bcall bcall 70 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.sha1
MD5: 76d5d7fea7ab1e3e1a09169ad0941767
SHA1: 13e6810ed7ad36b66e9dd0b3394fd059062a1f93
-rw-r--r-- 1 bcall bcall 6686865 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2
-rw-r--r-- 1 bcall bcall 819 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.asc
-rw-r--r-- 1 bcall bcall 64 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.md5
-rw-r--r-- 1 bcall bcall 72 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.sha1
MD5: 7d154544c4953973570b4713a78cb0cb
SHA1: 1cd542a52ac7ed71ae95ec40d0076c45df0c5f27
This fixes CVE-2014-3525 and limits access to how the heath checks
are performed.
We like to thank everyone involved with reporting and working on this
incident.
Sincerely,
-- Bryan, on behalf of the Apache Traffic Server community