CVE-2018-11783

NameCVE-2018-11783
Descriptionsslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
trafficserver (PTS)buster, buster (security)8.0.2+ds-1+deb10u4fixed
bullseye, sid8.1.1+ds-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
trafficserversource(unstable)8.0.2+ds-1

Notes

https://github.com/apache/trafficserver/pull/4701
https://www.openwall.com/lists/oss-security/2019/02/13/6

Search for package or bug name: Reporting problems