Source: trafficserver Version: 9.2.4+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 9.2.4+ds-0+deb12u1 Control: found -1 8.1.10+ds-1~deb11u1
Hi, The following vulnerabilities were published for trafficserver. CVE-2023-38522[0]: | Incomplete field name check allows request smuggling CVE-2024-35161[1]: | Incomplete check for chunked trailer section allows request smuggling CVE-2024-35296[2]: | Invalid Accept-Encoding can force forwarding requests If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38522 https://www.cve.org/CVERecord?id=CVE-2023-38522 [1] https://security-tracker.debian.org/tracker/CVE-2024-35161 https://www.cve.org/CVERecord?id=CVE-2024-35161 [2] https://security-tracker.debian.org/tracker/CVE-2024-35296 https://www.cve.org/CVERecord?id=CVE-2024-35296 [3] https://www.openwall.com/lists/oss-security/2024/07/25/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
