On Thu, Jul 24, 2014 at 11:26:50AM +0200, Reindl Harald wrote: > > > Is there any information available about this problem, so that we can make > > a judgement on criticality of the upgrade? > > in case of such security anncouncements there is not much to judge > it is a bugfix-only release and should already be deployed
There are testing and procedures involved in doing changes to core services like ATS in our company. Can't just upgrade willy-nilly.. > > > Any reason to believe a properly firewalled trafficserver (only incoming > > 80/tcp and 443/tcp allowed) should be remotely exploitable? > > surely because that is a expected setup and the nature of > a vulerability is to gain more rights as should be possible Did you read the patch? Looks to me like it's just a change of listening on ANY:8083 to LOOPBACK:8083 for some service, which doesn't seem like much a change for a firewalled host.. Unless I'm missing something.. -jf