Am 24.07.2014 11:41, schrieb Jan-Frode Myklebust: > On Thu, Jul 24, 2014 at 11:26:50AM +0200, Reindl Harald wrote: >> >>> Is there any information available about this problem, so that we can make >>> a judgement on criticality of the upgrade? >> >> in case of such security anncouncements there is not much to judge >> it is a bugfix-only release and should already be deployed > > There are testing and procedures involved in doing changes to core > services like ATS in our company. Can't just upgrade willy-nilly..
me too, automated if testing procedures delay deployment for security related bugfix-only updates for days they do more harm as anything else - the bigger the company the more problems of that sort - root cause is that nobody wants to take responsibility >>> Any reason to believe a properly firewalled trafficserver (only incoming >>> 80/tcp and 443/tcp allowed) should be remotely exploitable? >> >> surely because that is a expected setup and the nature of >> a vulerability is to gain more rights as should be possible > > Did you read the patch? Looks to me like it's just a change of > listening on ANY:8083 to LOOPBACK:8083 for some service, which > doesn't seem like much a change for a firewalled host.. Unless I'm > missing something.. not so sure! diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index 43eff68..40f7ae0 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -775,11 +775,16 @@ HttpTransact::StartRemapRequest(State* s) int host_len, path_len; const char *host = url->host_get(&host_len); const char *path = url->path_get(&path_len); + const int port = url->port_get(); const char syntxt[] = "synthetic.txt"; s->cop_test_page = (ptr_len_cmp(host, host_len, local_host_ip_str, sizeof(local_host_ip_str) - 1) == 0) && - (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0); + (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0) && + port == s->http_config_param->autoconf_port && + s->method == HTTP_WKSIDX_GET && + s->orig_scheme == URL_WKSIDX_HTTP && + (!s->http_config_param->autoconf_localhost_only || ats_ip4_addr_cast(&s->client_info.addr.sa) == htonl(INADDR_LOOPBACK));
signature.asc
Description: OpenPGP digital signature
