Everyone, Below is our announcement for the security issue reported to us from Yahoo! Japan. All versions of Apache Traffic Server are vulnerable. We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately. There is also a patch for 3.2.5 located under the patches directory and there are no further releases of 3.2.x. The artifacts are available for download at: https://dist.apache.org/repos/dist/release/trafficserver/ -rw-r--r-- 1 bcall bcall 7440366 Jul 23 01:50 trafficserver-5.0.1.tar.bz2 -rw-r--r-- 1 bcall bcall 819 Jul 23 01:51 trafficserver-5.0.1.tar.bz2.asc -rw-r--r-- 1 bcall bcall 62 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.md5 -rw-r--r-- 1 bcall bcall 70 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.sha1 MD5: 76d5d7fea7ab1e3e1a09169ad0941767 SHA1: 13e6810ed7ad36b66e9dd0b3394fd059062a1f93 -rw-r--r-- 1 bcall bcall 6686865 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2 -rw-r--r-- 1 bcall bcall 819 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.asc -rw-r--r-- 1 bcall bcall 64 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.md5 -rw-r--r-- 1 bcall bcall 72 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.sha1 MD5: 7d154544c4953973570b4713a78cb0cb SHA1: 1cd542a52ac7ed71ae95ec40d0076c45df0c5f27 This fixes CVE-2014-3525 and limits access to how the heath checks are performed. We like to thank everyone involved with reporting and working on this incident. Sincerely, -- Bryan, on behalf of the Apache Traffic Server community