CVE-2018-11783

NameCVE-2018-11783
Descriptionsslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
trafficserver (PTS)stretch (security), stretch7.0.0-6+deb9u2vulnerable
buster8.0.2+ds-1fixed
sid8.0.3+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
trafficserversource(unstable)8.0.2+ds-1medium

Notes

[stretch] - trafficserver <postponed> (Minor issue, experimental plugin, will be fixed along in next DSA)
https://github.com/apache/trafficserver/pull/4701
https://www.openwall.com/lists/oss-security/2019/02/13/6

Search for package or bug name: Reporting problems