Your message dated Tue, 10 Sep 2019 19:54:43 +0000 with message-id <e1i7mdr-000ctf...@fasolo.debian.org> and subject line Bug#935314: fixed in trafficserver 8.0.2+ds-1+deb10u1 has caused the Debian Bug report #935314, regarding trafficserver: CVE-2019-9518 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935314: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935314 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: trafficserver Version: 8.0.3+ds-4 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerability was published for trafficserver, additionally to #934887. Filling as separate bug as the fixed version ranges slightly differ. CVE-2019-9518[0]: | Some HTTP/2 implementations are vulnerable to a flood of empty frames, | potentially leading to a denial of service. The attacker sends a | stream of frames with an empty payload and without the end-of-stream | flag. These frames can be DATA, HEADERS, CONTINUATION and/or | PUSH_PROMISE. The peer spends time processing each frame | disproportionate to attack bandwidth. This can consume excess CPU. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: trafficserver Source-Version: 8.0.2+ds-1+deb10u1 We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 26 Aug 2019 13:55:33 +0200 Source: trafficserver Architecture: source Version: 8.0.2+ds-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Aron Xu <a...@debian.org> Changed-By: Jean Baptiste Favre <deb...@jbfavre.org> Closes: 934887 935314 Changes: trafficserver (8.0.2+ds-1+deb10u1) buster-security; urgency=high . * Add patch for security backport from 8.0.4 for CVE-2019-9512, CVE-2019-9514, and CVE-2019-9515. (Closes: #934887) * Add patch for security backport from 8.0.5 for fixes CVE-2019-9518 (Closes: #935314) Checksums-Sha1: c3fe608eed72e71777011b037e987ed4ed0d4883 2932 trafficserver_8.0.2+ds-1+deb10u1.dsc fcc2bef295c541b7a0253a1eebc7a0471e25a294 7836504 trafficserver_8.0.2+ds.orig.tar.xz 8a816b6e2097cb179bd602c9b3b0edfe38360090 75600 trafficserver_8.0.2+ds-1+deb10u1.debian.tar.xz c9da78a6c999c2e9f773ce6e3c09fb93ae8953dc 13038 trafficserver_8.0.2+ds-1+deb10u1_source.buildinfo Checksums-Sha256: ede2d648660bfdbcf289d9ad296174b356f8c6c6dcc49cd0e1510a52e34d892d 2932 trafficserver_8.0.2+ds-1+deb10u1.dsc 6d761227546db6db481a8fbd49c45d750a9f652952e0b62890880751b3089e24 7836504 trafficserver_8.0.2+ds.orig.tar.xz de053c3d5d1ff6b9a825fc28fe261d42c8430ce5d17a9f8e8eca465e945fb31b 75600 trafficserver_8.0.2+ds-1+deb10u1.debian.tar.xz f4699d5e01fa51530fa65b67671b6f9143a1004a4ca162232dd9a852aabea356 13038 trafficserver_8.0.2+ds-1+deb10u1_source.buildinfo Files: b53bc8b1db5736c21628a1cf80cbaa4c 2932 web optional trafficserver_8.0.2+ds-1+deb10u1.dsc 2a9abb343af9a20d2a644165de74f9d1 7836504 web optional trafficserver_8.0.2+ds.orig.tar.xz f6eed755b1c0fe564883d4abe4394478 75600 web optional trafficserver_8.0.2+ds-1+deb10u1.debian.tar.xz 8ec699c06fa1be40529e596454959d0d 13038 web optional trafficserver_8.0.2+ds-1+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAl1lgU9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99 hzexABAApW8xns62GEuWJU9xIy1WSphvUw0g6OClKN51cua2t6sHpjiUEhu9L9Ss JP+qNQSY4I+CUlfmzkuZuRSMp3vfVOoq+F2uQ4BwXJPY9GMYWFqYzs1UK+at/kkf Y+Fce8meMNHLzmtkF6tFSd/kiyCVKawrlZZA/Hmfl8fHn5FOzXhg2DCqEK7bmi8W Nm1Z3v8lMCXeHWhtgN3CUtllNeEl/mC0szlCC1rbxAw0H43bW7IuHj8yM9Kc/C4X 9/gaJhj08EH+or1Cu7bICkLpur2Jn224YHbYgOVK99oKho0+1zToZhZVCziDSXbX leGK3S2FdtyjvH8km3THRoBEuYCs0bfyls3iEynthAd2RXPTaD8SmW142qP4kcQp SYJUKfeH7ZsoTfevwlm8/aHGnFTwP5unGXIR4VxReND+imWEdR6TIyAuMp6EbTUJ SANb94qzGw68TrsDu0IPH3uWIEr+Gx/FmViqM7Gl8opTB6SkgSVfQRqMRlcN6zuY GqSuof930+8+kRKD9Aj+d6XWXLBrZao8Pr3y6Jq9pWFJKPHzK+avEvYP5+w7bEoK d9qrCAxYYumkOWx2uh5B0JGtkUwMdeumKTA685E7h96teTvfLtfGwHfpaiVw0Qr6 YEETqOdvcRWqQnU2ROjd1O4NDkxBIREHAwFbJV2kd9s6UxwkGwc= =u5qg -----END PGP SIGNATURE-----
--- End Message ---
