Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

trafficserver: CVE-2014-10022

Related Vulnerabilities: CVE-2014-10022   CVE-2014-3624  

Source

Debian Bug report logs - #778895
trafficserver: CVE-2014-10022

version graph

Package: trafficserver; Maintainer for trafficserver is Jean Baptiste Favre <debian@jbfavre.org>; Source for trafficserver is src:trafficserver (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sat, 21 Feb 2015 13:27:01 UTC

Severity: grave

Tags: patch, security

Fixed in version 5.3.0-1

Done: Aron Xu <aron@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Arno Töll <arno@debian.org>:
Bug#778895; Package trafficserver. (Sat, 21 Feb 2015 13:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Arno Töll <arno@debian.org>. (Sat, 21 Feb 2015 13:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trafficserver: CVE-2014-10022
Date: Sat, 21 Feb 2015 14:18:56 +0100
Package: trafficserver
Severity: grave
Tags: security
Justification: user security hole

Hi,
this has been assigned CVE-2014-10022:
https://issues.apache.org/jira/browse/TS-3223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10022

Fix:
https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commit;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12

Cheers,
        Moritz

Added tag(s) patch. Request was from Arnaud Fontaine <arnau@debian.org> to control@bugs.debian.org. (Tue, 10 Mar 2015 07:30:11 GMT) (full text, mbox, link).

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#778895. (Tue, 10 Mar 2015 07:30:15 GMT) (full text, mbox, link).

Message #10 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: debian-release@lists.debian.org, Arno Töll <arno@debian.org>
Cc: 778895-submitter@bugs.debian.org
Subject: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
Date: Tue, 10 Mar 2015 16:24:13 +0900
[Message part 1 (text/plain, inline)]
Hello,

I  have  prepared  an  NMU  for  trafficserver  fixing  #778895  RC  bug
(CVE-2014-10022) and considering that a new upstream release has already
been   uploaded   to    unstable,   I   would   like    to   upload   to
testing-proposed-updates. I'm  Cc'ing the maintainer of  this package to
get his approval as well.

I have attached the NMU patch to  this email. The package builds fine in
a Jessie chroot and all the tests ran during the build pass.

Regards,
-- 
Arnaud Fontaine


[trafficserver_5.0.1-1+deb8u1.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#778895. (Tue, 10 Mar 2015 08:03:19 GMT) (full text, mbox, link).

Message #13 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):

From: Ivo De Decker <ivodd@debian.org>
To: Arnaud Fontaine <arnau@debian.org>
Cc: debian-release@lists.debian.org, Arno Töll <arno@debian.org>, 778895-submitter@bugs.debian.org
Subject: Re: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
Date: Tue, 10 Mar 2015 09:00:24 +0100
Hi,

Please file a proper unblock request, so that it's easy to track.

On Tue, Mar 10, 2015 at 04:24:13PM +0900, Arnaud Fontaine wrote:
> I  have  prepared  an  NMU  for  trafficserver  fixing  #778895  RC  bug
> (CVE-2014-10022) and considering that a new upstream release has already
> been   uploaded   to    unstable,   I   would   like    to   upload   to
> testing-proposed-updates. I'm  Cc'ing the maintainer of  this package to
> get his approval as well.
> 
> I have attached the NMU patch to  this email. The package builds fine in
> a Jessie chroot and all the tests ran during the build pass.

Please go ahead, but use jessie as distribution instead of
testing-proposed-updates.

Cheers,

Ivo

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#778895. (Tue, 10 Mar 2015 08:30:04 GMT) (full text, mbox, link).

Message #16 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Ivo De Decker <ivodd@debian.org>
Cc: debian-release@lists.debian.org, Arno Töll <arno@debian.org>, 778895-submitter@bugs.debian.org
Subject: Re: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
Date: Tue, 10 Mar 2015 17:27:04 +0900
[Message part 1 (text/plain, inline)]
Ivo De Decker <ivodd@debian.org> writes:

> Please file a proper unblock request, so that it's easy to track.
>
> On Tue, Mar 10, 2015 at 04:24:13PM +0900, Arnaud Fontaine wrote:
>> I  have  prepared  an  NMU  for  trafficserver  fixing  #778895  RC  bug
>> (CVE-2014-10022) and considering that a new upstream release has already
>> been   uploaded   to    unstable,   I   would   like    to   upload   to
>> testing-proposed-updates. I'm  Cc'ing the maintainer of  this package to
>> get his approval as well.
>> 
>> I have attached the NMU patch to  this email. The package builds fine in
>> a Jessie chroot and all the tests ran during the build pass.
>
> Please go ahead, but use jessie as distribution instead of
> testing-proposed-updates.

Ok, before  uploading and filing a  proper unblock request, I  will wait
for the maintainer ACK until Friday if that's ok with you.

Cheers,
-- 
Arnaud Fontaine

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#778895; Package trafficserver. (Tue, 10 Mar 2015 14:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. (Tue, 10 Mar 2015 14:03:05 GMT) (full text, mbox, link).

Message #21 received at 778895@bugs.debian.org (full text, mbox, reply):

From: Arno Töll <arno@debian.org>
To: Arnaud Fontaine <arnau@debian.org>
Cc: Ivo De Decker <ivodd@debian.org>, debian-release@lists.debian.org, 778895@bugs.debian.org
Subject: Re: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
Date: Tue, 10 Mar 2015 14:54:10 +0100
[Message part 1 (text/plain, inline)]
Hi,

On Tuesday 10 March 2015 17:27:04 Arnaud Fontaine wrote:
> Ok, before  uploading and filing a  proper unblock request, I  will wait
> for the maintainer ACK until Friday if that's ok with you.

I'm fine with your NMU, but please note it's only part of the problem. We never 
bothered for the (easy) fix for #778895 because of other security problems we 
cannot easily fix in particular CVE-2014-3624 and #749846 - both fixed in Sid.

However, the Release Team was uncomfortable to unblock that package (cf. 
#769689). I'm afraid, that we better ask for removal of that package in 
Testing rather than bothering with it, as we - as maintainers - cannot 
guarantee for the security of it already, even less so over the lifespan of a 
Debian Release, and upstream is moving faster than us. 

-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, inline)]

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#778895. (Fri, 13 Mar 2015 08:33:20 GMT) (full text, mbox, link).

Message #24 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):

From: Arnaud Fontaine <arnau@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: 778895-submitter@bugs.debian.org, Arno Töll <arno@debian.org>
Subject: RM: trafficserver/5.0.1-1
Date: Fri, 13 Mar 2015 17:29:04 +0900
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm

Hello,

Considering that trafficserver is currently  affected by 3 security bugs
(CVE-2014-3624, CVE-2014-10022  (#778895) and #749846) fixed  in Sid but
which was  not uploaded on time  to testing before the  freeze, and that
these bugs cannot be easily fixed, it would probably be better to remove
it  from  testing   as  suggested  by  Arno  Töll,   the  maintainer  of
trafficserver, on #778895:

  "However, the Release  Team was uncomfortable to  unblock that package
  (cf.  #769689).   I'm afraid, that we  better ask for removal  of that
  package  in  Testing  rather  than  bothering with  it,  as  we  -  as
  maintainers -  cannot guarantee for  the security of it  already, even
  less so over the lifespan of  a Debian Release, and upstream is moving
  faster than us."

Thanks in advance.

Regards,
-- 
Arnaud Fontaine

[signature.asc (application/pgp-signature, inline)]

Message sent on to Moritz Muehlenhoff <jmm@inutil.org>:
Bug#778895. (Sat, 14 Mar 2015 09:45:18 GMT) (full text, mbox, link).

Message #27 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>
To: Arnaud Fontaine <arnau@debian.org>, 780388-done@bugs.debian.org
Cc: 778895-submitter@bugs.debian.org, Arno Töll <arno@debian.org>
Subject: Re: Bug#780388: RM: trafficserver/5.0.1-1
Date: Sat, 14 Mar 2015 10:43:18 +0100
On 2015-03-13 09:29, Arnaud Fontaine wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: rm
> 
> Hello,
> 
> Considering that trafficserver is currently  affected by 3 security bugs
> (CVE-2014-3624, CVE-2014-10022  (#778895) and #749846) fixed  in Sid but
> which was  not uploaded on time  to testing before the  freeze, and that
> these bugs cannot be easily fixed, it would probably be better to remove
> it  from  testing   as  suggested  by  Arno  Töll,   the  maintainer  of
> trafficserver, on #778895:
> 
>   "However, the Release  Team was uncomfortable to  unblock that package
>   (cf.  #769689).   I'm afraid, that we  better ask for removal  of that
>   package  in  Testing  rather  than  bothering with  it,  as  we  -  as
>   maintainers -  cannot guarantee for  the security of it  already, even
>   less so over the lifespan of  a Debian Release, and upstream is moving
>   faster than us."
> 
> Thanks in advance.
> 
> Regards,
> 

Ack, I have added a removal hint for trafficserver.  Hopefully things
will look better for Stretch.

Thanks,
~Niels

Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Fri, 12 Jun 2015 13:27:35 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 12 Jun 2015 13:27:35 GMT) (full text, mbox, link).

Message #32 received at 778895-close@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>
To: 778895-close@bugs.debian.org
Subject: fixed in 5.3.0-1
Date: Fri, 12 Jun 2015 21:23:44 +0800
Source-Version: 5.3.0-1

This CVE is closed in trafficserver/5.3.0-1.

Thanks,
Aron

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 19 Jul 2015 07:49:24 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:59:48 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started