Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed.