This also affects 7.1.7 and 8.0.4. I updated the version range below. -Bryan
> On Aug 20, 2019, at 11:36 AM, Bryan Call <bc...@apache.org> wrote: > > Description: > ATS is vulnerable to a HTTP/2 attack with empty frames > > CVE: > CVE-2019-9518 Empty Frames Flood > > Reported By: > Piotr Sikora > > Vendor: > The Apache Software Foundation > > Version Affected: > ATS 6.0.0 to 6.2.3 > ATS 7.0.0 to 7.1.7 > ATS 8.0.0 to 8.0.4 > > Mitigation: > Turn off HTTP/2 or upgrade ATS to a current version > 6.x users should upgrade to 7.1.8, 8.0.5, or later versions > 7.x users should upgrade to 7.1.8 or later versions > 8.x users should upgrade to 8.0.5 or later versions > > References: > Downloads: > https://trafficserver.apache.org/downloads > (Please use backup sites from the link only if the mirrors are > unavailable) > Github Pull Request: > https://github.com/apache/trafficserver/pull/5850 > CVE: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518 > > -Bryan > >
