Your message dated Sat, 31 Aug 2024 21:17:30 +0000
with message-id <e1skvto-0011ux...@fasolo.debian.org>
and subject line Bug#1077141: fixed in trafficserver 9.2.5+ds-0+deb12u1
has caused the Debian Bug report #1077141,
regarding trafficserver: CVE-2023-38522 CVE-2024-35161 CVE-2024-35296
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: trafficserver
Version: 9.2.4+ds-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 9.2.4+ds-0+deb12u1
Control: found -1 8.1.10+ds-1~deb11u1
Hi,
The following vulnerabilities were published for trafficserver.
CVE-2023-38522[0]:
| Incomplete field name check allows request smuggling
CVE-2024-35161[1]:
| Incomplete check for chunked trailer section allows request smuggling
CVE-2024-35296[2]:
| Invalid Accept-Encoding can force forwarding requests
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38522
https://www.cve.org/CVERecord?id=CVE-2023-38522
[1] https://security-tracker.debian.org/tracker/CVE-2024-35161
https://www.cve.org/CVERecord?id=CVE-2024-35161
[2] https://security-tracker.debian.org/tracker/CVE-2024-35296
https://www.cve.org/CVERecord?id=CVE-2024-35296
[3] https://www.openwall.com/lists/oss-security/2024/07/25/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 9.2.5+ds-0+deb12u1
Done: Jean Baptiste Favre <deb...@jbfavre.org>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Aug 2024 20:20:06 +0200
Source: trafficserver
Architecture: source
Version: 9.2.5+ds-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Jean Baptiste Favre <deb...@jbfavre.org>
Closes: 1077141
Changes:
trafficserver (9.2.5+ds-0+deb12u1) bookworm-security; urgency=medium
.
* New upstream version 9.2.5+ds
* CVEs fix (Closes: #1077141)
- CVE-2023-38522: Incomplete field name check allows request smuggling
- CVE-2024-35161: Incomplete check for chunked trailer section allows
request smuggling
- CVE-2024-35296: Invalid Accept-Encoding can force forwarding requests
Checksums-Sha1:
69eeda30b5db02ded31fe82eb144330fae6a3791 3024
trafficserver_9.2.5+ds-0+deb12u1.dsc
75948d26ccb5b53362b90a23ee6716d98ec02f9d 8952536
trafficserver_9.2.5+ds.orig.tar.xz
dd2d2126f20055f1d2e5c613a92aba0354e8b80e 36044
trafficserver_9.2.5+ds-0+deb12u1.debian.tar.xz
8b198469dc81a244998112dc6b6f4c2e020876f1 12886
trafficserver_9.2.5+ds-0+deb12u1_source.buildinfo
Checksums-Sha256:
da998419192c8c3b8f3020afac45c4cb4bdd1ae240ad0352ed383576f9bff81b 3024
trafficserver_9.2.5+ds-0+deb12u1.dsc
dbf4de96e1c5077bc2148ef065bd271ab6d73d71285a7568c60ae59e900692bd 8952536
trafficserver_9.2.5+ds.orig.tar.xz
73237b307284aac2672477d99800d611a1b956c0335006b0d6d7b3519dc37b4d 36044
trafficserver_9.2.5+ds-0+deb12u1.debian.tar.xz
fb49c188b3f36a4a6469cd6c9a19c610c1241482389f0eac3239f7a4d0873272 12886
trafficserver_9.2.5+ds-0+deb12u1_source.buildinfo
Files:
c7a84cf58741edb165f9c7a38d6b6b08 3024 web optional
trafficserver_9.2.5+ds-0+deb12u1.dsc
b4dd8ce30023f3a0629fe44668c1c2d9 8952536 web optional
trafficserver_9.2.5+ds.orig.tar.xz
27e8211d6b46c83ee6176ef7645e0747 36044 web optional
trafficserver_9.2.5+ds-0+deb12u1.debian.tar.xz
bfa9e50d2a36dd31c2f87526bca64211 12886 web optional
trafficserver_9.2.5+ds-0+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmbI9ahfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzfg2xAAheBy9g0hD8zMWEx/tOXZnVD7H0PgYp4bh0mPZnHgr3tD3JkFGDq3bnha
D8H++dQdetfoieZLj6IJ+SbAHGvoRAB+IJP0EX/szIsEYTPdXJgFLyEMmWo+Ry3N
KtgiCjkHKxGl/uQlVug6Ok7d1KADXoQVXSqBXZ+88B5fiNOJGVd4Qn6ah+ytexwx
qqDcKhO2/dVWH5Oy07UJW+YvQNl/s7n84415/lwYbG5DSOEDnerO1oMvm7hIXlSS
nhvcxmR2awDMV6aq+xN+smcePUqJRPm+CYcmGvI0gNMdBUGYXM/gphfJ8rltl4uE
oJtFWaFL+Ap36YjIBDTQB+0D4i0D1pbLyuibTkfEt/HQ6MFClb7pkpVEk81MMbzS
2OSe4Y8Vc/lxEVknpvSiR7qqkYnrnjxFfgdx9h6R87TygYn231gvzqVFlxL7NDmr
G8qtoG6uRXZ/I6Kr/4i4U9AtQGheloVn5sCss0hGo8embenND7nIQ66sQeeicP/r
lgtKs+sRb7fnxBGd6MWkJKNNHf0ILBz8Ewmyhq3of8TU/iG3VqbRT4OA5HhD9ubZ
xvWDhcTQIYuYRAooeS2Pgk2qK+i+7ZDN7Lmv4lwFHgZ133398DlxgYsA+uDaHEjw
Lom9Ig8DWyA2HqFw+yu0TuUija5cocuNcikjeVoSLuRTmDB7hy8=
=8L/P
-----END PGP SIGNATURE-----
pgpmqnlMumPGl.pgp
Description: PGP signature
--- End Message ---
