March 26, H Security – (International) Apache Traffic Server update closes important security hole. Version 3.0.4 of Apache Traffic Server (ATS), the high-- 18 - performance caching HTTP/1.1 proxy server, has been released, closing a security hole that could be exploited by an attacker to remotely compromise a vulnerable system. An error when parsing a large “Host:” HTTP header can be used to cause a heap-based buffer overflow, which could lead to a denial-of-service condition or the execution of arbitrary code. The vulnerability (CVE-2012-0256) was reported to Apache by Codenomicon via CERT-FI and is rated as “Important.” All 2.0.x versions as well as 3.0.x and 3.1.x up to and including 3.0.3 and 3.1.2 are affected. Upgrading to 3.0.4 fixes the problem. The developers also released an update, version 3.1.3, to the unstable development branch of ATS to fix the security problem and urged all users to upgrade as soon as possible.
Ali Loney, on March 26, 2012