Package: trafficserver
Version: 8.0.2+ds-1+deb10u4
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 10.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages trafficserver depends on:
ii  adduser          3.118
ii  libbrotli1       1.0.7-2+deb10u1
ii  libc6            2.28-10
ii  libcap2          1:2.25-2
ii  libcurl4         7.64.0-4+deb10u2
ii  libgcc1          1:8.3.0-6
ii  libgeoip1        1.6.12-1
ii  libhwloc5        1.11.12-3
ii  libluajit-5.1-2  2.1.0~beta3+dfsg-5.1
ii  liblzma5         5.2.4-1
ii  libncursesw6     6.1+20181013-2+deb10u2
ii  libpcre3         2:8.39-12
ii  libssl1.1        1.1.1d-0+deb10u6
ii  libstdc++6       8.3.0-6
ii  libtcl8.6        8.6.9+dfsg-2
ii  libtinfo6        6.1+20181013-2+deb10u2
ii  libunwind8       1.2.1-10~deb10u1
ii  libyaml-cpp0.6   0.6.2-4
ii  lsb-base         10.2019051400
ii  perl             5.28.1-6+deb10u1
ii  zlib1g           1:1.2.11.dfsg-1

trafficserver recommends no packages.

Versions of packages trafficserver suggests:
pn  trafficserver-experimental-plugins  <none>

-- Configuration Files:
/etc/trafficserver/ip_allow.config changed [not included]
/etc/trafficserver/records.config changed [not included]

-- no debconf information

Description:
ATS is vulnerable to various HTTP/1.x and HTTP/2 attacks

CVE:
CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin

Version Affected:
ATS 7.0.0 to 7.1.12
ATS 8.0.0 to 8.1.1
ATS 9.0.0 to 9.0.1

Mitigation:
7.x users should upgrade to 8.1.2 or 9.0.2, or later versions 8.x users should 
upgrade to 8.1.2 or later versions 9.x users should upgrade to 9.0.2 or later 
versions

Reply via email to