Debian Bug report logs -
#990303
trafficserver: Apache Traffic Server is vulnerable to various HTTP/1.x and HTTP/2 attacks
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>:
Bug#990303; Package trafficserver.
(Fri, 25 Jun 2021 07:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Lorenzo Maurizi <l.maurizi@comune.jesi.an.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>.
(Fri, 25 Jun 2021 07:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: trafficserver
Version: 8.0.2+ds-1+deb10u4
Severity: grave
Tags: security
Justification: user security hole
-- System Information:
Debian Release: 10.10
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages trafficserver depends on:
ii adduser 3.118
ii libbrotli1 1.0.7-2+deb10u1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcurl4 7.64.0-4+deb10u2
ii libgcc1 1:8.3.0-6
ii libgeoip1 1.6.12-1
ii libhwloc5 1.11.12-3
ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.1
ii liblzma5 5.2.4-1
ii libncursesw6 6.1+20181013-2+deb10u2
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1d-0+deb10u6
ii libstdc++6 8.3.0-6
ii libtcl8.6 8.6.9+dfsg-2
ii libtinfo6 6.1+20181013-2+deb10u2
ii libunwind8 1.2.1-10~deb10u1
ii libyaml-cpp0.6 0.6.2-4
ii lsb-base 10.2019051400
ii perl 5.28.1-6+deb10u1
ii zlib1g 1:1.2.11.dfsg-1
trafficserver recommends no packages.
Versions of packages trafficserver suggests:
pn trafficserver-experimental-plugins <none>
-- Configuration Files:
/etc/trafficserver/ip_allow.config changed [not included]
/etc/trafficserver/records.config changed [not included]
-- no debconf information
Description:
ATS is vulnerable to various HTTP/1.x and HTTP/2 attacks
CVE:
CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin
Version Affected:
ATS 7.0.0 to 7.1.12
ATS 8.0.0 to 8.1.1
ATS 9.0.0 to 9.0.1
Mitigation:
7.x users should upgrade to 8.1.2 or 9.0.2, or later versions 8.x users should upgrade to 8.1.2 or later versions 9.x users should upgrade to 9.0.2 or later versions
Marked as found in versions trafficserver/8.1.1+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 25 Jun 2021 07:39:02 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 25 Jun 2021 07:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jean Baptiste Favre <debian@jbfavre.org>:
Bug#990303; Package trafficserver.
(Fri, 25 Jun 2021 09:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jean Baptiste Favre <debian@jbfavre.org>.
(Fri, 25 Jun 2021 09:51:03 GMT) (full text, mbox, link).
Message #14 received at 990303@bugs.debian.org (full text, mbox, reply):
On Fri, Jun 25, 2021 at 08:59:25AM +0200, Lorenzo Maurizi wrote:
> Package: trafficserver
> Version: 8.0.2+ds-1+deb10u4
> Severity: grave
> Tags: security
> Justification: user security hole
>
> CVE:
> CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
> CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
> CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
> CVE-2021-32567 Reading HTTP/2 frames too many times
> CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin
For 8.1.x these are fixed by https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277
I've add full references to the Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2021-35474
https://security-tracker.debian.org/tracker/CVE-2021-32567
https://security-tracker.debian.org/tracker/CVE-2021-32566
https://security-tracker.debian.org/tracker/CVE-2021-32565
https://security-tracker.debian.org/tracker/CVE-2021-27577
Jean Baptiste, can prepare updates for buster-security?
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jun 25 16:15:32 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon