Your message dated Thu, 26 Jun 2025 16:03:16 +0000
with message-id <e1uup4g-002ykt...@fasolo.debian.org>
and subject line Bug#1108044: fixed in trafficserver 9.2.5+ds-0+deb12u3
has caused the Debian Bug report #1108044,
regarding trafficserver: CVE-2025-49763 CVE-2025-31698
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: trafficserver
Version: 9.2.5+ds-0+deb12u2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 9.2.5+ds-1
Hi,
The following vulnerabilities were published for trafficserver.
CVE-2025-49763[0]:
| ESI plugin does not have the limit for maximum inclusion depth, and
| that allows excessive memory consumption if malicious instructions
| are inserted. Users can use a new setting for the plugin (--max-
| inclusion-depth) to limit it. This issue affects Apache Traffic
| Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.
| Users are recommended to upgrade to version 9.2.11 or 10.0.6, which
| fixes the issue.
CVE-2025-31698[1]:
| ACL configured in ip_allow.config or remap.config does not use IP
| addresses that are provided by PROXY protocol. Users can use a new
| setting (proxy.config.acl.subjects) to choose which IP addresses to
| use for the ACL if Apache Traffic Server is configured to accept
| PROXY protocol. This issue affects undefined: from 10.0.0 through
| 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade
| to version 9.2.11 or 10.0.6, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-49763
https://www.cve.org/CVERecord?id=CVE-2025-49763
[1] https://security-tracker.debian.org/tracker/CVE-2025-31698
https://www.cve.org/CVERecord?id=CVE-2025-31698
[2] https://www.openwall.com/lists/oss-security/2025/06/17/7
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 9.2.5+ds-0+deb12u3
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated trafficserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Jun 2025 21:06:25 +0200
Source: trafficserver
Architecture: source
Version: 9.2.5+ds-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1101996 1108044
Changes:
trafficserver (9.2.5+ds-0+deb12u3) bookworm-security; urgency=medium
.
* CVE-2024-53868 (Closes: #1101996)
* CVE-2025-31698, CVE-2025-49763 (Closes: #1108044)
Checksums-Sha1:
fca66b36b3d1338b107311c93b66ea6cbc956901 2897
trafficserver_9.2.5+ds-0+deb12u3.dsc
2a8bba2c719dfeaee3ef4a4a82318ad5af4d847d 218312
trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
7d3de1b134a5efd7837ac923c627cc50c4b29920 14871
trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
Checksums-Sha256:
b679a9fce56f200940f6ee634ef5f2c69edeaac1864d5449e111db051893bf53 2897
trafficserver_9.2.5+ds-0+deb12u3.dsc
0600abbb9255b062e2f947e987b5510e62e1252ff22eb477329a6eb7ae1ff104 218312
trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
66acd2cf41f1f5397d702ac12021f6af7670cb639ff4fb967aa324f00772df5f 14871
trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
Files:
04037bf32af3bef87c6aadeac567ee41 2897 web optional
trafficserver_9.2.5+ds-0+deb12u3.dsc
e3050708d612aa61a05eae4faffd85d8 218312 web optional
trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
13b01357e3fee8b11c3362fce8cd8b32 14871 web optional
trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmhZvI0ACgkQEMKTtsN8
TjYVEw/9EsJyczgINOvZmW6r0wL8edRi0ffHSvWAApEqRpfN0B4dX1x4qxXOPrcB
/IHqZRZa11rtjSzh713ZZ09nboHO1Z8h+h54QrI+hWB09JzuItM95OD6hniNE/nt
RdL05WLtEbCo8bYGA86fLVJ9laufCMMVXGg7FVvyjX7QQbFmvhpNzbZooPBk9qsa
8oWNTu5vrHH9FEjdVyy8MtPHGRj1ax3D0i4aXt+uRWI5k5OMo9loPB0BnKVAehQF
BQRSBeTGTuhCpktsv6qaCc0NMoi+yiUP1Ni6CpkPegmpFtL8t8tq3iduDZv56yw1
7nrn0vVzn+1uDDPLzq9v4t2iTE9C7yAknOJXIJZvPVpRDTTxGb+kXYc6CEF7f1A3
5FMV0cn2dvCt9UtieOUqpL8m7++/pAvmlT2znuRPwTHUK92w7L5IJrX3NBBof0r5
DGhjLGzMzdQKCm9VJceykd7hVu/ujYhKdX/Hr2zy22I0pFIVUrHsGiVjW8jlwjrH
jWAkA9lUfyE3SV6BUwCWcIifspM/au6485A8BEO4iF0f26WkW19CBRCr8CamYVUg
tShiUk7BFxfK0sMyeaMus9tNCTme+JikPBcFyumZuAa2BilVnL1FSkwZpdg0R9d7
eObWaBhH6LIUW8bTUinj9YjoaUjqcV/utqdcwqiEh6F4YeCujMA=
=Dpp4
-----END PGP SIGNATURE-----
pgpP8Ac_hWQYL.pgp
Description: PGP signature
--- End Message ---
