Your message dated Fri, 27 Aug 2021 11:19:56 +0000
with message-id <[email protected]>
and subject line Bug#990303: fixed in trafficserver 8.0.2+ds-1+deb10u5
has caused the Debian Bug report #990303,
regarding trafficserver: Apache Traffic Server is vulnerable to various
HTTP/1.x and HTTP/2 attacks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990303
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: trafficserver
Version: 8.0.2+ds-1+deb10u4
Severity: grave
Tags: security
Justification: user security hole
-- System Information:
Debian Release: 10.10
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages trafficserver depends on:
ii adduser 3.118
ii libbrotli1 1.0.7-2+deb10u1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcurl4 7.64.0-4+deb10u2
ii libgcc1 1:8.3.0-6
ii libgeoip1 1.6.12-1
ii libhwloc5 1.11.12-3
ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.1
ii liblzma5 5.2.4-1
ii libncursesw6 6.1+20181013-2+deb10u2
ii libpcre3 2:8.39-12
ii libssl1.1 1.1.1d-0+deb10u6
ii libstdc++6 8.3.0-6
ii libtcl8.6 8.6.9+dfsg-2
ii libtinfo6 6.1+20181013-2+deb10u2
ii libunwind8 1.2.1-10~deb10u1
ii libyaml-cpp0.6 0.6.2-4
ii lsb-base 10.2019051400
ii perl 5.28.1-6+deb10u1
ii zlib1g 1:1.2.11.dfsg-1
trafficserver recommends no packages.
Versions of packages trafficserver suggests:
pn trafficserver-experimental-plugins <none>
-- Configuration Files:
/etc/trafficserver/ip_allow.config changed [not included]
/etc/trafficserver/records.config changed [not included]
-- no debconf information
Description:
ATS is vulnerable to various HTTP/1.x and HTTP/2 attacks
CVE:
CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin
Version Affected:
ATS 7.0.0 to 7.1.12
ATS 8.0.0 to 8.1.1
ATS 9.0.0 to 9.0.1
Mitigation:
7.x users should upgrade to 8.1.2 or 9.0.2, or later versions 8.x users should
upgrade to 8.1.2 or later versions 9.x users should upgrade to 9.0.2 or later
versions
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 8.0.2+ds-1+deb10u5
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated trafficserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 Jul 2021 22:59:59 +0200
Source: trafficserver
Architecture: source
Version: 8.0.2+ds-1+deb10u5
Distribution: buster-security
Urgency: medium
Maintainer: Aron Xu <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 990303
Changes:
trafficserver (8.0.2+ds-1+deb10u5) buster-security; urgency=medium
.
* CVE-2021-35474 CVE-2021-32567 CVE-2021-32566 CVE_2021-32565
CVE-2021-27577 (Closes: #990303)
Checksums-Sha1:
51bb7afa8a5cbdabda5342cd0c4786749c602b33 2802
trafficserver_8.0.2+ds-1+deb10u5.dsc
a8afd3895a41b78109b2eb100decfc62f98d8cc4 90848
trafficserver_8.0.2+ds-1+deb10u5.debian.tar.xz
7cca58b1d8b547fce3180c76499aa56b99635203 15473
trafficserver_8.0.2+ds-1+deb10u5_amd64.buildinfo
Checksums-Sha256:
e01d476d586564164619c580288145be65909fcb217c93dfbf3578a7c23e317a 2802
trafficserver_8.0.2+ds-1+deb10u5.dsc
7a8ce1390508452dafcd9e2120cdd9d211255534e2cdffac5f084cadaf9d84ad 90848
trafficserver_8.0.2+ds-1+deb10u5.debian.tar.xz
ba7cb487ebedb01e576d8edbc46f8548febd7dc6938b69f7c97b9ba6cf8f22a4 15473
trafficserver_8.0.2+ds-1+deb10u5_amd64.buildinfo
Files:
c1db6f0984f8de6ac947eee3553ef668 2802 web optional
trafficserver_8.0.2+ds-1+deb10u5.dsc
61a1bbea550249af584bdafd23a090d2 90848 web optional
trafficserver_8.0.2+ds-1+deb10u5.debian.tar.xz
e3737605561cebf4331c0b632b466a54 15473 web optional
trafficserver_8.0.2+ds-1+deb10u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEAey4ACgkQEMKTtsN8
TjZkvBAAodVQqQE9dnlic2AY8z+dH5NkIXsMjYfJZovrhN6Pst9XkdMlec5CP++s
xPynPtuCpUEwaePoX6um1eJHjbrrvjUWT8L0QntKoySQQndp8knzLfRQlBoxOqke
D/MViA9lOBYkrRcsPOOs+95mKNkHDiLjYclgd5N/hGrQAnrel/Sl5HXfXrpoOlG/
lyiBvV5S81agD1ub0qnup90SIF31qwlp8aBMVCgK4kHe41QOfUyYnntqDa8r/Olb
RG2Cf/sxxnAPUAaxgLR5O2DZueqt4ED5rKD/qTlWVM++9HTP6OFBk8dQ2+3p82nN
Z8vkwWdDxr8Zu0NBQd3wCoTlwfqBa1b4MilT8UQTveakz8EspDVXeIciy6g06r7g
/HIkadLakRwmT15lPkTgXjYWZ3F/5mrkSsInAawHnD4hA7l8EEJBTIaUqfeZgjVX
By0dYroOJIdbbmSEjRQQWrxXF623v7doOoeU7UhuIJo1EghFIp7DsFTirT4yfGbM
/PyiXi1kFxwNH/In9EN3fPYw+IB+DZoQlZeTSufkxRXfehhbUNbQH+m6S2gMQyw4
8ZbdOEa6uRjp8z/0LywJ3/9svdU0U2fTgM3dFEgrzFXdWNZPHUh7Z5K62aR66vxL
sM1Id/SM5iqjv45mFlRWGOXm9FZYps+O+Hrs7uEGH/1XgIx6yXA=
=kXWU
-----END PGP SIGNATURE-----
--- End Message ---
