Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

trafficserver: CVE-2019-9518

Related Vulnerabilities: CVE-2019-9518  

Source

Debian Bug report logs - #935314
trafficserver: CVE-2019-9518

version graph

Package: src:trafficserver; Maintainer for src:trafficserver is Jean Baptiste Favre <debian@jbfavre.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 21 Aug 2019 14:24:01 UTC

Severity: grave

Tags: security, upstream

Found in version trafficserver/8.0.3+ds-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>:
Bug#935314; Package src:trafficserver. (Wed, 21 Aug 2019 14:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>. (Wed, 21 Aug 2019 14:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: trafficserver: CVE-2019-9518
Date: Wed, 21 Aug 2019 16:20:05 +0200
Source: trafficserver
Version: 8.0.3+ds-4
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for trafficserver,
additionally to #934887. Filling as separate bug as the fixed version
ranges slightly differ.

CVE-2019-9518[0]:
| Some HTTP/2 implementations are vulnerable to a flood of empty frames,
| potentially leading to a denial of service. The attacker sends a
| stream of frames with an empty payload and without the end-of-stream
| flag. These frames can be DATA, HEADERS, CONTINUATION and/or
| PUSH_PROMISE. The peer spends time processing each frame
| disproportionate to attack bandwidth. This can consume excess CPU.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9518
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 22 09:35:45 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started