Your message dated Tue, 07 Nov 2023 21:18:10 +0000 with message-id <e1r0tsc-000djn...@fasolo.debian.org> and subject line Bug#1054427: fixed in trafficserver 8.1.9+ds-1~deb11u1 has caused the Debian Bug report #1054427, regarding trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054427 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: trafficserver Source-Version: 8.1.9+ds-1~deb11u1 Done: Jean Baptiste Favre <deb...@jbfavre.org> We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Nov 2023 17:00:26 +0100 Source: trafficserver Architecture: source Version: 8.1.9+ds-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Jean Baptiste Favre <deb...@jbfavre.org> Changed-By: Jean Baptiste Favre <deb...@jbfavre.org> Closes: 1053801 1054427 Changes: trafficserver (8.1.9+ds-1~deb11u1) bullseye-security; urgency=medium . * New upstream version 8.1.9+ds * Update d/patches for 8.1.9+ds-1~deb11u1 release * Update d/trafficserver-experimental-plugins.install * Multiple CVE fixes for 8.1.x (Closes: #1054427, Closes: #1053801) - CVE-2022-47185: Improper input validation vulnerability - CVE-2023-33934: Improper Input Validation vulnerability - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor - CVE-2023-44487: The HTTP/2 protocol allows a denial of service Checksums-Sha1: b8f93f14f6ebf4d2976c34dc7b84cc98d0540fc8 2880 trafficserver_8.1.9+ds-1~deb11u1.dsc 691ce5e7162f39114c6674ccc79f1def178e6d2f 7960728 trafficserver_8.1.9+ds.orig.tar.xz 880c08113128ed13a9503927329260e12f1414d4 45752 trafficserver_8.1.9+ds-1~deb11u1.debian.tar.xz 8feb43f9a0c79ad9b2de671437e06903a4102c05 14224 trafficserver_8.1.9+ds-1~deb11u1_source.buildinfo Checksums-Sha256: 3c4074ee7fc877412cabf74ed189459f3fc399502ead263200c33a59c1a26ceb 2880 trafficserver_8.1.9+ds-1~deb11u1.dsc 06ff4a3211d2811577f9075da0b95f0d1b51a305713926e4ea0c980c0c06e150 7960728 trafficserver_8.1.9+ds.orig.tar.xz fdb821ecbd0c24639cba094ba7fee5f11b4e61b73204d48f671414d0235ded94 45752 trafficserver_8.1.9+ds-1~deb11u1.debian.tar.xz a30bbcf7fb4e2b3b2baa90e9e6584c6332a2e3bef65059a8901ebb700e5502c4 14224 trafficserver_8.1.9+ds-1~deb11u1_source.buildinfo Files: 3c13e32b889801b30b35c41e76fc6138 2880 web optional trafficserver_8.1.9+ds-1~deb11u1.dsc 8ebaff42368e815ab477d2d64bcff50f 7960728 web optional trafficserver_8.1.9+ds.orig.tar.xz 17f223fec44e3615ce460fdb4ac6cdf6 45752 web optional trafficserver_8.1.9+ds-1~deb11u1.debian.tar.xz a247d3fc59225767a822b0605c44a7d4 14224 web optional trafficserver_8.1.9+ds-1~deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmVD12RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99 hzeNPw//ZdAfm68z+6Cr0cUxkZQmoHL1fi9f1ZaxyXJoldqEQPhUXazXWjLZIe96 u8lkP+EYMENDT9nvRgfDy8AvR2uLuLWYRiahXCcBlWQRG0vA3cYMBjMulp5O7dP+ Y+QyFBfrCGPkFpcyBdA2dewG87xWBS8+hB8BFoAOD3ghrOWkvsRkpjzHGQkkhAUS mmLreYGggVcCERM1zqQD4vZxsZaoZAGr42CsXqGqGyzWYhIHo5ckz4DbZJk0GJXY UpXAVY6TBl4gcCy3tijyUayOJp/BdDHZy3k4/P03F/Yj10K525kPO38/n9NNVKgX 6FQ06CpQi56skAK4C7MpS5CsRxe4dHEfRyGthJoADFGiHlNPvtIW20Wan6f9pIiy 1RGoRW2iPWzIWhvsQhvYHGqj6bTDdgKyHBQ879DNSGMQ7oo6uDkC9JqbrgHcRj7x ZznBnW+1eakgqTXgpAaeYUYD5lToUPTlMvjgW0mp7zTEMJ3Ow3hOdEe11OkL4Oj+ HBJKdfJu5x3hKTGW0IyvIZxcGBduraVRkwF3DATVo0HGsovLO8l5PyM7Q2TFTY05 +zDw6dSS56gaaJoPXkTaE+ty2Rwo7W+ORWlaZYpcJ5aVabiRLSoF0Xpwe1z2hjMz J+xlhpj4mrlkiWwojsQBOXH3IEPRMThxSVt+3s8u9+FFByOu4jA= =nLH5 -----END PGP SIGNATURE-----
--- End Message ---
