Debian Bug report logs -
#1054427
trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>:
Bug#1054427; Package src:trafficserver.
(Mon, 23 Oct 2023 18:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jean Baptiste Favre <debian@jbfavre.org>.
(Mon, 23 Oct 2023 18:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: trafficserver
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for trafficserver.
CVE-2023-41752[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Traffic Server.This issue affects Apache
| Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.
| Users are recommended to upgrade to version 8.1.9 or 9.2.3, which
| fixes the issue.
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x)
https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x)
CVE-2023-39456[1]:
| Improper Input Validation vulnerability in Apache Traffic Server
| with malformed HTTP/2 frames.This issue affects Apache Traffic
| Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade
| to version 9.2.3, which fixes the issue.
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x)
CVE-2023-44487[2]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x)
For oldstable-security let's move to 8.1.8 and for stable-security
to 9.2.3?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41752
https://www.cve.org/CVERecord?id=CVE-2023-41752
[1] https://security-tracker.debian.org/tracker/CVE-2023-39456
https://www.cve.org/CVERecord?id=CVE-2023-39456
[2] https://security-tracker.debian.org/tracker/CVE-2023-44487
https://www.cve.org/CVERecord?id=CVE-2023-44487
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 23 Oct 2023 18:54:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Oct 24 17:54:49 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon