Your message dated Tue, 07 Nov 2023 21:17:08 +0000 with message-id <e1r0trc-000daq...@fasolo.debian.org> and subject line Bug#1053801: fixed in trafficserver 9.2.3+ds-1+deb12u1 has caused the Debian Bug report #1053801, regarding trafficserver: CVE-2023-44487 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for trafficserver. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed. Fixed in 9.2.3: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.x)
--- End Message ---
--- Begin Message ---Source: trafficserver Source-Version: 9.2.3+ds-1+deb12u1 Done: Jean Baptiste Favre <deb...@jbfavre.org> We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Nov 2023 15:01:39 +0100 Source: trafficserver Architecture: source Version: 9.2.3+ds-1+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Jean Baptiste Favre <deb...@jbfavre.org> Changed-By: Jean Baptiste Favre <deb...@jbfavre.org> Closes: 1053801 1054427 Changes: trafficserver (9.2.3+ds-1+deb12u1) bookworm-security; urgency=medium . * Multiple CVE fixes for 9.2.x (Closes: #1054427, Closes: #1053801) - CVE-2022-47185: Improper input validation vulnerability - CVE-2023-33934: Improper Input Validation vulnerability - CVE-2023-39456: Improper Input Validation vulnerability - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor - CVE-2023-44487: The HTTP/2 protocol allows a denial of service * Refresh d/patches for 9.2.3 release * Add patch to workaround missing sphinxcontrib.jquery module * Update d/trafficserver-experimental-plugins for 9.2.3 release Checksums-Sha1: e4fe79a6f1051e639a5f737c1eb1853365dc5b31 3024 trafficserver_9.2.3+ds-1+deb12u1.dsc bd4752974c4343d6be0deb34ed61e521157bba21 8942124 trafficserver_9.2.3+ds.orig.tar.xz e96d4dba828c00f431245d664d396ce969a8caf7 35904 trafficserver_9.2.3+ds-1+deb12u1.debian.tar.xz 0ec93376e0cc8adebbde91f395306956f3d50a8e 12654 trafficserver_9.2.3+ds-1+deb12u1_source.buildinfo Checksums-Sha256: 0dfb2438a13aaeedc594ca4bed4d278417a21662f035c1013461e955f2e1aa85 3024 trafficserver_9.2.3+ds-1+deb12u1.dsc 0e323e1c4c01d1506cfd49d4c6935dbebd125b187d9ba72fe909bd6b10d81110 8942124 trafficserver_9.2.3+ds.orig.tar.xz f33a37f2906683b3a78ba2c16013a4ef85ea1eeeb016937917765bb497017204 35904 trafficserver_9.2.3+ds-1+deb12u1.debian.tar.xz 7f5f711ef2a60ba681bbd5b556ad55347d402fd5251d2dcde5519c341864b647 12654 trafficserver_9.2.3+ds-1+deb12u1_source.buildinfo Files: 0243ca2fd3678757bab0bb373b55daa4 3024 web optional trafficserver_9.2.3+ds-1+deb12u1.dsc f65bf601372c361eb765c1d9150f5755 8942124 web optional trafficserver_9.2.3+ds.orig.tar.xz 8fbf8ef3d95778c5e2b3e1dc45fb8777 35904 web optional trafficserver_9.2.3+ds-1+deb12u1.debian.tar.xz 5e55436fe541f8f166d505d6e1bfc7b1 12654 web optional trafficserver_9.2.3+ds-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmVDvkJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99 hzeN0BAAskdDyJCHDKsRIe2ag84z/yAkQn7y9yJ71V5V1lyrRMPngbSLE9c08LZR FTobWBkFq47D58hUXPHynh3JQyNIyu+cEPpukrXZZZ/YlINp+aNErnEbwLSRWmur qPL8IYEOSMdeh+o6lenT3BV0I4F9tAbRPKInuL1hOYYKKZYihsLGj446wu1IeoNd Jp4ydbSuoT3oUdTm6kUKGWlolLzq0XwpjKDGeuqiUHuOSktqF4irM6cLQg+HjtiQ xN/GaFYSxrsTEVpupHQCVAugHq5cGR4OD97fuU+wKMVFfZWGvo6nh2ffKuqw0tjL maqOtJeE/omDaD1n9+0lM2aVGhshzuZqG9yGhTDXOlOWh6cqYxZY/DJT6qrFuJpk bcKzQmvL0UtQc4mpHM2hGKRFqbXfhas3Rv6EdW0goxzEkGkh6JA9K/JOmRg8Z4pK JvpWLTW8dDk2OTHkJLLrV1OlNuMJWE55Rdqkh85bqzllbwMbobn5V9pKy4eErTwv bSpiqymSd5THFQavY+DA+qaCWB+ly6AnUrjIMIQaJLlzsif41lx8KovAekZ+P/CY xmOiZg5640YF5nUG55q/lmJNckFsBlCpzM3CLUZKnkD4Szp0XUDQyqvUVxJ5KKtD e6mWyw5vSUZocrRlcg98LEyYQXMJrjEImvIC+udqtkhkj9lq8GA= =NJIV -----END PGP SIGNATURE-----
--- End Message ---
