Source: trafficserver Version: 9.2.5+ds-0+deb12u2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 9.2.5+ds-1
Hi, The following vulnerabilities were published for trafficserver. CVE-2025-49763[0]: | ESI plugin does not have the limit for maximum inclusion depth, and | that allows excessive memory consumption if malicious instructions | are inserted. Users can use a new setting for the plugin (--max- | inclusion-depth) to limit it. This issue affects Apache Traffic | Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. | Users are recommended to upgrade to version 9.2.11 or 10.0.6, which | fixes the issue. CVE-2025-31698[1]: | ACL configured in ip_allow.config or remap.config does not use IP | addresses that are provided by PROXY protocol. Users can use a new | setting (proxy.config.acl.subjects) to choose which IP addresses to | use for the ACL if Apache Traffic Server is configured to accept | PROXY protocol. This issue affects undefined: from 10.0.0 through | 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade | to version 9.2.11 or 10.0.6, which fixes the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-49763 https://www.cve.org/CVERecord?id=CVE-2025-49763 [1] https://security-tracker.debian.org/tracker/CVE-2025-31698 https://www.cve.org/CVERecord?id=CVE-2025-31698 [2] https://www.openwall.com/lists/oss-security/2025/06/17/7 Regards, Salvatore
