Source: trafficserver Version: 9.2.5+ds-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for trafficserver. CVE-2024-38479[0]: | Improper Input Validation vulnerability in Apache Traffic Server. | This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, | from 9.0.0 through 9.2.5. Users are recommended to upgrade to | version 9.2.6, which fixes the issue, or 10.0.2, which does not have | the issue. CVE-2024-50305[1]: | Valid Host header field can cause Apache Traffic Server to crash on | some platforms. This issue affects Apache Traffic Server: from | 9.2.0 through 9.2.5. Users are recommended to upgrade to version | 9.2.6, which fixes the issue, or 10.0.2, which does not have the | issue. CVE-2024-50306[2]: | Unchecked return value can allow Apache Traffic Server to retain | privileges on startup. This issue affects Apache Traffic Server: | from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are | recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the | issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38479 https://www.cve.org/CVERecord?id=CVE-2024-38479 [1] https://security-tracker.debian.org/tracker/CVE-2024-50305 https://www.cve.org/CVERecord?id=CVE-2024-50305 [2] https://security-tracker.debian.org/tracker/CVE-2024-50306 https://www.cve.org/CVERecord?id=CVE-2024-50306 [3] https://www.openwall.com/lists/oss-security/2024/11/13/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
