Your message dated Sun, 28 Jun 2020 15:17:12 +0000
with message-id <e1jpz3q-0008lk...@fasolo.debian.org>
and subject line Bug#963629: fixed in trafficserver 8.0.2+ds-1+deb10u3
has caused the Debian Bug report #963629,
regarding trafficserver: CVE-2020-9494
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
963629: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963629
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: trafficserver
Version: 8.0.7+ds-1
Severity: important
Tags: security upstream
Control: found -1 8.0.2+ds-1+deb10u2
Hi,
The following vulnerability was published for trafficserver.
CVE-2020-9494[0]:
| Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to
| 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can
| cause the server to allocate a large amount of memory and spin the
| thread.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9494
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 8.0.2+ds-1+deb10u3
Done: Jean Baptiste Favre <deb...@jbfavre.org>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 963...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Jun 2020 19:58:34 +0200
Source: trafficserver
Architecture: source
Version: 8.0.2+ds-1+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Aron Xu <a...@debian.org>
Changed-By: Jean Baptiste Favre <deb...@jbfavre.org>
Closes: 963629
Changes:
trafficserver (8.0.2+ds-1+deb10u3) buster-security; urgency=high
.
* Add fix from upstream for CVE-2020-9494 (Closes: #963629)
Checksums-Sha1:
43f2c398dc0749f8be3d312b9769ecc5b7cddf21 2932
trafficserver_8.0.2+ds-1+deb10u3.dsc
575295463e1405fba0fa2666f9d12a7e0240c9ff 82996
trafficserver_8.0.2+ds-1+deb10u3.debian.tar.xz
b4428f5a1a5f58957c24bd7805fc7e71a3520ff6 13544
trafficserver_8.0.2+ds-1+deb10u3_source.buildinfo
Checksums-Sha256:
250101ae4987e9bdcfbc7dbeec5bdec1fc18ce4e2ebb811e351302b0a662e462 2932
trafficserver_8.0.2+ds-1+deb10u3.dsc
15697ebc6d96089f5d05f38b1fd87332fdc5a499b3b918c646f2fbd91f738de1 82996
trafficserver_8.0.2+ds-1+deb10u3.debian.tar.xz
7d9262da535ea32a29b09bc0bbe1c739c0e88194ae8194231166da3b6ecd3685 13544
trafficserver_8.0.2+ds-1+deb10u3_source.buildinfo
Files:
da462ca62dc714b0303c8c4b0e48e15a 2932 web optional
trafficserver_8.0.2+ds-1+deb10u3.dsc
7b1f703680bdead42edf809a15d9c14b 82996 web optional
trafficserver_8.0.2+ds-1+deb10u3.debian.tar.xz
cac6693f176510d9548c6515299ecb9d 13544 web optional
trafficserver_8.0.2+ds-1+deb10u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAl72A6NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzcu+hAAkYaTirrwjCljsCGImv4PXYDFLmwXRf7HKECgoaXccBQt7rSKUzvtoNFo
BiniwYe/3Bh2nq0MaS4oH1EbaF+BoySCmjSt6Qan4mVHzxCmST0Suj8lQuJRUwkn
UfXLyTpVzQaNgduD0T4ksGf0ehU/2AOEK/s0nfR0OI6wVLDOUHfiGRYPV4KU0hhC
n5DUfHrXn/gkQgNrYlndBC8JDJoUAmCbNxMP//Ohy+l+iRDZj5sDlCZdl5Ae62Y+
OZwdWtURSEETqlDTTR+w2ouoylRvdD46KtfpxGZ+MV9UgqunWTQyOQcBSwbR+9h2
rF9YQBjpiWcsHy389WFnlhwItkKoCB8+ITS5bbrA7YhWwEYfT9ca6tu8kqfXqYSE
rDmkD6w8LolY/A88NpJBIZralUYfszSJjnFVWxzoHQkGpaxhDh6tO7EZ93OQxGC1
z6fQeCKwNzR1d0S34j6GIpH3J5Sq6Sf0zZpqgmmEi3w5lMpzBPOd0ltOclaH175j
HkVpt4E6khryp2znmdAZZHmuRrf4fzwxlG/qfPJA+m3tRVKR+YaS6xtSW3dwDqOy
5mMZ9ibeOQhcLElGIwMiYw3lyXB1rpn2eb6lJrL7HR6t3yoDvVjNs1+ZJny+9tbp
qs8KXfHvmQdZg6yylZdALjpAV7p+fg7xnL7L4MXLbEF+94WGiLc=
=SYrC
-----END PGP SIGNATURE-----
--- End Message ---
