Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix crash when logging TLS 1.3 properties (CVE-2017-10872) #1543

Closed
kazuho opened this issue Dec 14, 2017 · 1 comment
Closed

fix crash when logging TLS 1.3 properties (CVE-2017-10872) #1543

kazuho opened this issue Dec 14, 2017 · 1 comment
Labels
vulnerability

Comments

@kazuho
Copy link
Member

kazuho commented Dec 14, 2017
edited

The server segfaults when trying to emit the bits of a TLS 1.3 cipher-suite being used to the access-log (by specifying %{ssl.cipher-bits}x).

To avoid the issue, users are advised to upgrade to version 2.2.4 or to disable the use of TLS 1.3 (by setting the maximum-version to 1.2).

The issue was reported by @herumi in #1465.
@h2o h2o locked and limited conversation to collaborators Dec 14, 2017
@kazuho kazuho changed the title test fix crash when logging TLS 1.3 properties (CVE-2017-1087) Dec 15, 2017
@kazuho kazuho changed the title fix crash when logging TLS 1.3 properties (CVE-2017-1087) fix crash when logging TLS 1.3 properties (CVE-2017-10872) Dec 15, 2017
@h2o h2o unlocked this conversation Dec 15, 2017
@kazuho kazuho closed this as completed Jan 12, 2018
@kirotawa
Copy link

Hi, what is the commit id/sha that fix this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kazuho @kirotawa