Bug#990303: marked as done (trafficserver: Apache Traffic Server is vulnerable to various HTTP/1.x and HTTP/2 attacks)

Thu, 15 Jul 2021 13:36:13 -0700 

Your message dated Thu, 15 Jul 2021 20:33:34 +0000
with message-id <e1m4834-000cfu...@fasolo.debian.org>
and subject line Bug#990303: fixed in trafficserver 8.1.1+ds-1.1
has caused the Debian Bug report #990303,
regarding trafficserver: Apache Traffic Server is vulnerable to various 
HTTP/1.x and HTTP/2 attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990303
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: trafficserver
Version: 8.0.2+ds-1+deb10u4
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 10.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages trafficserver depends on:
ii  adduser          3.118
ii  libbrotli1       1.0.7-2+deb10u1
ii  libc6            2.28-10
ii  libcap2          1:2.25-2
ii  libcurl4         7.64.0-4+deb10u2
ii  libgcc1          1:8.3.0-6
ii  libgeoip1        1.6.12-1
ii  libhwloc5        1.11.12-3
ii  libluajit-5.1-2  2.1.0~beta3+dfsg-5.1
ii  liblzma5         5.2.4-1
ii  libncursesw6     6.1+20181013-2+deb10u2
ii  libpcre3         2:8.39-12
ii  libssl1.1        1.1.1d-0+deb10u6
ii  libstdc++6       8.3.0-6
ii  libtcl8.6        8.6.9+dfsg-2
ii  libtinfo6        6.1+20181013-2+deb10u2
ii  libunwind8       1.2.1-10~deb10u1
ii  libyaml-cpp0.6   0.6.2-4
ii  lsb-base         10.2019051400
ii  perl             5.28.1-6+deb10u1
ii  zlib1g           1:1.2.11.dfsg-1

trafficserver recommends no packages.

Versions of packages trafficserver suggests:
pn  trafficserver-experimental-plugins  <none>

-- Configuration Files:
/etc/trafficserver/ip_allow.config changed [not included]
/etc/trafficserver/records.config changed [not included]

-- no debconf information

Description:
ATS is vulnerable to various HTTP/1.x and HTTP/2 attacks

CVE:
CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin

Version Affected:
ATS 7.0.0 to 7.1.12
ATS 8.0.0 to 8.1.1
ATS 9.0.0 to 9.0.1

Mitigation:
7.x users should upgrade to 8.1.2 or 9.0.2, or later versions 8.x users should 
upgrade to 8.1.2 or later versions 9.x users should upgrade to 9.0.2 or later 
versions

--- End Message ---
--- Begin Message --- 
Source: trafficserver
Source-Version: 8.1.1+ds-1.1
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated trafficserver 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Jul 2021 21:48:17 +0200
Source: trafficserver
Architecture: source
Version: 8.1.1+ds-1.1
Distribution: unstable
Urgency: medium
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 990303
Changes:
 trafficserver (8.1.1+ds-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
     CVE-2021-35474.
     - CVE-2021-27577: Incorrect handling of url fragment leads to cache
       poisoning
     - CVE-2021-32565: HTTP Request Smuggling, content length with invalid
       charters
     - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to
       crash
     - CVE-2021-32567: Reading HTTP/2 frames too many times
     - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin
     (Closes: #990303)
Checksums-Sha1: 
 4925f90729116068bafa9eaa067d1d8b366f8b78 2881 trafficserver_8.1.1+ds-1.1.dsc
 75eccf2d46c76923417e3c0408d46cefa8848adc 44068 
trafficserver_8.1.1+ds-1.1.debian.tar.xz
Checksums-Sha256: 
 23887ef0f0e71b03d0f87b86171ff377b2c413fb7d63bac78d79fece40f3c433 2881 
trafficserver_8.1.1+ds-1.1.dsc
 34e2af5fa308e8ca4b101861d2dddd4f446bc922e9c9161fd4d7112e58e06c2c 44068 
trafficserver_8.1.1+ds-1.1.debian.tar.xz
Files: 
 4f9bb7e760db8564dc55f72f03bf1e54 2881 web optional 
trafficserver_8.1.1+ds-1.1.dsc
 67e1817441daff6c0d75098cadee3db8 44068 web optional 
trafficserver_8.1.1+ds-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmDwlnlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtMUP/RMpCWPOPZ2n6d0lxNtdVDlyvcXJ0cwu
JLFyIVKuAg3Z1kKuI1NL3L6YLvDlAxuX/2wcP766AfYk2ANc4XeSQgqtb1DDd+0R
935+tGRCapqf9dacicKgxQpQDgnX3X/FMQTUWJreMRsN5fbga4Za8P5tjAGKDD/l
7kXMVO7agSohC7RMWzfJdPHujbuiup5n/695cLQpN1QDRY8gGnjIMz/GRItLy6n7
RdEP28DLOclrX82Z6UIDy3pSpzwE5ltxU0rjsBJ6iHVb7tA3xLhgU2q1/FExugtE
7fXZTDYP7riRG3a6VYSireiBt+IApm5878lKmJcUTLF5ffYMW2Q+xdLcsAfU2DvN
feJOXGwDGQlrg5hrYxAf3o+JQzDS7qx2/knHX9240VgEkoU0+Cvyjtn//FzIOLJ8
ViTqqDJlr8BtlBJFwgMVMHooA/E0lPRKsongZoJXPzIPs12WHjPbuIPJMZGRD0C2
VVeNXD9Hb71Up3NpDv0cH23Dc/aRa0tMUI87H2heekJ4V6uxTszDBlKl6QA0r1uC
6GiTB8vTwn0YgiWFOf0EBioKfMeT9bObp8TMa/C9+w+sToI1URIREbpZ3OLG3D1b
TRPXN+hB7Cx1so/RLSl9KBf6NYcZiI7yjMYE9ITHWw0ae+oPrf877EJgSpi2zF7e
KNOLqty8DHKR
=D47y
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to