I couldn’t get it to crash on ATS 5.3.x myself. I am seeing this in the squid logs after the request:
1493308994.894 56 216.161.80.88 ERR_CLIENT_ABORT 000 0 POST … -Bryan > On Apr 27, 2017, at 8:18 AM, Zhilin Huang (zhilhuan) <zhilh...@cisco.com> > wrote: > > Hi, > > I know ATS 5.3.2 may be end of support. But it would be very appreciated if > someone can suggest if 5.3.2 is affected by CVE-2017-5659. > > Currently we are still using 5.3.2 in production, and want to evaluate how to > back port CVE-2017-5659 to 5.3.2 by ourselves. > > However, looks like the code base is quite different. If my understanding is > right, the fix is actually introduced in TS-4507 by PR #787. And it seems > like a regression from TS-3612, but I am not quite sure about this. If it is > truly a regression from TS-3612, does this mean 5.3.2 is not affected? > > BTW, we could not reproduce this issue by the test tool attached in > https://issues.apache.org/jira/secure/attachment/12827263/test_post.py . > Would someone kindly help to provide some suggestion on how to reproduce this > issue using this tool? Is there any configuration precondition? > > Thanks in advance! > > > Thanks, > Zhilin > >
