New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix crash when logging TLS 1.3 properties (CVE-2017-10872) #1543

Closed
kazuho opened this Issue Dec 14, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@kazuho
Member

kazuho commented Dec 14, 2017

The server segfaults when trying to emit the bits of a TLS 1.3 cipher-suite being used to the access-log (by specifying %{ssl.cipher-bits}x).

To avoid the issue, users are advised to upgrade to version 2.2.4 or to disable the use of TLS 1.3 (by setting the maximum-version to 1.2).

The issue was reported by @herumi in #1465.

@h2o h2o locked and limited conversation to collaborators Dec 14, 2017

@kazuho kazuho changed the title from test to fix crash when logging TLS 1.3 properties (CVE-2017-1087) Dec 15, 2017

@kazuho kazuho changed the title from fix crash when logging TLS 1.3 properties (CVE-2017-1087) to fix crash when logging TLS 1.3 properties (CVE-2017-10872) Dec 15, 2017

@h2o h2o unlocked this conversation Dec 15, 2017

@kazuho kazuho closed this Jan 12, 2018

@kirotawa

This comment has been minimized.

Show comment
Hide comment
@kirotawa

kirotawa Jun 22, 2018

Hi, what is the commit id/sha that fix this issue?

kirotawa commented Jun 22, 2018

Hi, what is the commit id/sha that fix this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment