-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0763
            CVE-2018-1319 Apache Allura HTTP response splitting
                               16 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Allura
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1319  

Original Bulletin: 
   https://lists.apache.org/thread.html/22b74bc4002091157ec2bddf9fa3b7643ffaa77aa6cb85562f0e30da@%3Cdev.allura.apache.org%3E

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2018-1319 Apache Allura HTTP response splitting

Severity: Important
Versions Affected: All

Description:
Attackers may craft URLs that cause HTTP response splitting.  If a victim goes
to a maliciously crafted URL, unwanted results may occur including XSS or
service denial for the victim's browsing session.

Mitigation:
Users of Allura should upgrade to Allura 1.8.1 immediately.

Credit:
This issue was discovered by Everardo Padilla Saca

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqsYK4x+lLeg9Ub1AQgxPxAAjM4WOFDuhYTtLQNWTKMPNrYOxZvltXgS
nveMerYhbJqmmMDqDQSY21TsS5kDm6mQ16WjJW07Qe+eNTcZ78HTa8lP1TzIsUGV
FqjGBENCt2nrGfUFVEMofVDdNU5919L02ISl0il/hJavTEV7VubsXjSAWxMWyCVr
ivTOQPOx+7w67RbE+mDI/hvrOF3E0go884ROXf5omfpC/ASI/3mQ7RoyxrBixXX7
Tk9MLLqqqTc3PHCBkq5nKAi63tjoYRTjkZ1uPZW/hSjjLfsdpN34zsOsc1KCUC+e
b2srwpU3jMHYuZMIUPICvurOnrEkLrMF9RteY2yEf8bBfC+6lxihj4GIpb4ffGJE
LyEue4mm7fgGLbDIukABYIHRTu4epdPPVMGHnWQDLFUHilRtcH+8vjNBko1u8RT1
tZAbI3sMgV7oA7YpeHf0NiRwq60hErH+mLDCmMyy8ykwXXAESaBgCLFIDE1akEny
Ap8fxb4PqZyPjcOXCklkkcZ95e1y58xesQyQYDU8Ui5Rspl915+KLUHO2dJEz5E9
OzPyzRxD3REQRu2387Qn18UU/vPOPaPmlstR2uzr8WuzUuK7wZjPKawmDn2y+n78
ZswiwI6nebRWVUmvU8W2zY0632etOTgIVVvpjI0u1Oya1RwSSpD52SxxDRMQWyTZ
/S45EoAytP8=
=eG/d
-----END PGP SIGNATURE-----