Your message dated Fri, 23 Aug 2024 19:07:30 +0000
with message-id <e1shzdc-008omd...@fasolo.debian.org>
and subject line Bug#1077141: fixed in trafficserver 9.2.5+ds-1
has caused the Debian Bug report #1077141,
regarding trafficserver: CVE-2023-38522 CVE-2024-35161 CVE-2024-35296
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: trafficserver
Version: 9.2.4+ds-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 9.2.4+ds-0+deb12u1
Control: found -1 8.1.10+ds-1~deb11u1
Hi,
The following vulnerabilities were published for trafficserver.
CVE-2023-38522[0]:
| Incomplete field name check allows request smuggling
CVE-2024-35161[1]:
| Incomplete check for chunked trailer section allows request smuggling
CVE-2024-35296[2]:
| Invalid Accept-Encoding can force forwarding requests
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38522
https://www.cve.org/CVERecord?id=CVE-2023-38522
[1] https://security-tracker.debian.org/tracker/CVE-2024-35161
https://www.cve.org/CVERecord?id=CVE-2024-35161
[2] https://security-tracker.debian.org/tracker/CVE-2024-35296
https://www.cve.org/CVERecord?id=CVE-2024-35296
[3] https://www.openwall.com/lists/oss-security/2024/07/25/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 9.2.5+ds-1
Done: Jean Baptiste Favre <deb...@jbfavre.org>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Aug 2024 18:49:41 +0200
Source: trafficserver
Architecture: source
Version: 9.2.5+ds-1
Distribution: unstable
Urgency: high
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Jean Baptiste Favre <deb...@jbfavre.org>
Closes: 1077141
Changes:
trafficserver (9.2.5+ds-1) unstable; urgency=high
.
* New upstream version 9.2.5+ds
* Patches refresh for 9.2.5
* Update d/control Build-Depends
* CVEs fix (Closes: #1077141)
- CVE-2023-38522: Incomplete field name check allows request smuggling
- CVE-2024-35161: Incomplete check for chunked trailer section allows
request smuggling
- CVE-2024-35296: Invalid Accept-Encoding can force forwarding requests
Checksums-Sha1:
9c13cddf7cf1af6e590dbc0dbe216c32c0761599 2985 trafficserver_9.2.5+ds-1.dsc
75948d26ccb5b53362b90a23ee6716d98ec02f9d 8952536
trafficserver_9.2.5+ds.orig.tar.xz
c5131ffff4ae3e2f6a480f061f8f1e7c626d2956 35640
trafficserver_9.2.5+ds-1.debian.tar.xz
0cddce7a5e01824dcff02db1405a6fc1a88af164 13248
trafficserver_9.2.5+ds-1_source.buildinfo
Checksums-Sha256:
538b0c7a75c7c606cfdc76952205925b6876177d6818d9813d0adb43d96134c7 2985
trafficserver_9.2.5+ds-1.dsc
dbf4de96e1c5077bc2148ef065bd271ab6d73d71285a7568c60ae59e900692bd 8952536
trafficserver_9.2.5+ds.orig.tar.xz
2ef80328162a110118183608b0688a2d6501f592e5925bf2700c83675e0e938f 35640
trafficserver_9.2.5+ds-1.debian.tar.xz
2276990e09b3e3c0a870cb7a05079d28072dbe1622220428449c21cf47e94f34 13248
trafficserver_9.2.5+ds-1_source.buildinfo
Files:
9997d23b16366ab77477b58a3fbeb9a6 2985 web optional trafficserver_9.2.5+ds-1.dsc
b4dd8ce30023f3a0629fe44668c1c2d9 8952536 web optional
trafficserver_9.2.5+ds.orig.tar.xz
32baf6ebb8e9848bb8329d1594d1c821 35640 web optional
trafficserver_9.2.5+ds-1.debian.tar.xz
fd1f454257cc18086e9bc7f256ea1a3d 13248 web optional
trafficserver_9.2.5+ds-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmbI0YFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzeUYA/+JtUcdJ6IPTuU3rTiyUdQf7AJ/9ZNvqvSuyAHc4zEw8JsQHpnqofd8yBg
G9IfI4RDmL/v8ajPLPGLsidFJZivXpNmfhmzexRSp1ab5WVJIDglHsXxJTq6N3TR
25xnecEmsFiAQuguFzZzjk5gAyqCUOY4qFirueWo7Mub7JjhCwWlSAX0XsOtUzm6
H35QHMyTFgUnHkwf5lCa3qe9qe6YBvJYVDYg1BYUynPqZQodGThjSWhgD6FktCPW
ZOql4u535M5QYROl+6TsY43P+K7P70rJxq5AVJlqAQynGNwLwJ1MmRzktubU70bG
j01K2SozsNgSMaw02fywtkMbQns9vdMqo7MyE6sRvr7+uUmvbrTdZiSfP9Qpis42
zs2rq4iWSuiiUqekyT2nuVQ0jxryCYuuktdsXfKh7B9J5MmCLGQF9akqR316vvOc
E8+Qog1FWqN0/+FNaXe1XB9lBeTHsZXtZIoKF91wcHKYdzvt8PcBgfuDXDN+WCSE
cAWYIgjN1GFMawLcAi0WwpAa/7d2C5Kuw3E1Y8uW7ByKxeLzPTaJevwP8aC0SgAi
GPvAXUXrgJO/z1a7W3yjmBANa/yCZeXsuudD8U7BQJHB1oGyGfQZkiVOUj6LmuLW
JVa/xnzxwmcyaxHeX7AaAsH9W4BGW3kFzUEy3RqDFesLwIhv33s=
=9fCE
-----END PGP SIGNATURE-----
pgpcwhf57cqem.pgp
Description: PGP signature
--- End Message ---
