Is it safe to conclude that in terms of request routing, that this CVE only applies to proxies in forward proxy mode ? Or rather forward proxies that parse the host header to determine next hop ? In reverse proxy mode, where remap rules are explicitly defined, then a request either matches a remap or the request is denied.
Please advise. On Tue, Feb 27, 2018 at 11:38 AM, Bryan Call <[email protected]> wrote: > CVE-2017-5660: Apache Traffic Server host header and line folding > > Vendor: > The Apache Software Foundation > > Version Affected: > ATS 6.2.0 and prior > ATS 7.0.0 and prior > > Description: > There is a vulnerability in ATS with the Host header and line folding. This > can have issues when interacting with upstream proxies and the wrong host > being used. > > Mitigation: > 6.2.x users should upgrade to 6.2.2 or later versions > 7.x users should upgrade to 7.1.2 or later versions > > References: > Downloads: > https://trafficserver.apache.org/downloads > > Github Pull Request: > https://github.com/apache/trafficserver/pull/1657 > > CVE: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5660 > > -Bryan > > >
