Bug#1054427: marked as done (trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487)

[Debian Bug Tracking System]

Your message dated Thu, 02 Nov 2023 14:36:38 +0000
with message-id <e1qyyoi-0072dl...@fasolo.debian.org>
and subject line Bug#1054427: fixed in trafficserver 9.2.3+ds-1
has caused the Debian Bug report #1054427,
regarding trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: trafficserver
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for trafficserver.

CVE-2023-41752[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Traffic Server.This issue affects Apache
| Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2.
| Users are recommended to upgrade to version 8.1.9 or 9.2.3, which
| fixes the issue.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0
 (8.1.x)
https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e
 (9.2.x)

CVE-2023-39456[1]:
| Improper Input Validation vulnerability in Apache Traffic Server
| with malformed HTTP/2 frames.This issue affects Apache Traffic
| Server: from 9.0.0 through 9.2.2.  Users are recommended to upgrade
| to version 9.2.3, which fixes the issue.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5
 (9.2.x)

CVE-2023-44487[2]:
| The HTTP/2 protocol allows a denial of service (server resource
| consumption) because request cancellation can reset many streams
| quickly, as exploited in the wild in August through October 2023.

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682
 (9.2.3-rc0)
https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620
 (8.1.x)

For oldstable-security let's move to 8.1.8 and for stable-security
to 9.2.3?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-41752
    https://www.cve.org/CVERecord?id=CVE-2023-41752
[1] https://security-tracker.debian.org/tracker/CVE-2023-39456
    https://www.cve.org/CVERecord?id=CVE-2023-39456
[2] https://security-tracker.debian.org/tracker/CVE-2023-44487
    https://www.cve.org/CVERecord?id=CVE-2023-44487

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: trafficserver
Source-Version: 9.2.3+ds-1
Done: Jean Baptiste Favre <deb...@jbfavre.org>

We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Nov 2023 13:46:58 +0100
Source: trafficserver
Architecture: source
Version: 9.2.3+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Jean Baptiste Favre <deb...@jbfavre.org>
Closes: 1053801 1054427
Changes:
 trafficserver (9.2.3+ds-1) unstable; urgency=medium
 .
   * New upstream version 9.2.3+ds
   * Update d/trafficserver-experimental-plugins for 9.2.3 release
   * CVEs fixes (Closes: #1054427, Closes: #1053801)
     - CVE-2023-39456: Improper Input Validation vulnerability
     - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized 
Actor
     - CVE-2023-44487: The HTTP/2 protocol allows a denial of service
Checksums-Sha1:
 bc119fbd9efd3175f3995001edb01ba079839533 2989 trafficserver_9.2.3+ds-1.dsc
 bd4752974c4343d6be0deb34ed61e521157bba21 8942124 
trafficserver_9.2.3+ds.orig.tar.xz
 fad635001981b65d66b3ad1a910ba149f130613e 35788 
trafficserver_9.2.3+ds-1.debian.tar.xz
 c4a9525306ac032e2a127372747cd6620f00645e 12466 
trafficserver_9.2.3+ds-1_source.buildinfo
Checksums-Sha256:
 379ac21b58337082757b2a42651b3c41913d78f9a6f2d8b2a64f0d8cb0327c7e 2989 
trafficserver_9.2.3+ds-1.dsc
 0e323e1c4c01d1506cfd49d4c6935dbebd125b187d9ba72fe909bd6b10d81110 8942124 
trafficserver_9.2.3+ds.orig.tar.xz
 3019ba5c80b2984cfaedc1874693abc32cca1648effcaf13539c85ab584f07e0 35788 
trafficserver_9.2.3+ds-1.debian.tar.xz
 9c838794911a123d5e5c7cb71ad050ea8b720051c3e19c9b1684f177122802f2 12466 
trafficserver_9.2.3+ds-1_source.buildinfo
Files:
 d30aa28b6f3c07a94d218bd3ecb300de 2989 web optional trafficserver_9.2.3+ds-1.dsc
 f65bf601372c361eb765c1d9150f5755 8942124 web optional 
trafficserver_9.2.3+ds.orig.tar.xz
 2a1cdb9080bce8861831c1943ffa52d5 35788 web optional 
trafficserver_9.2.3+ds-1.debian.tar.xz
 9d60dfd90631ee28d89d9cff20e47d2a 12466 web optional 
trafficserver_9.2.3+ds-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmVDqZFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzdGUw//SKD5qzYmjDQg1H224MKM2lOnq8IcsCXSctxOUc0KhI4rKidLm7QiJ/tL
bWMHr643N98Pw9pvikGmXG2I1gh3TvvtXkkVWCG/487lj8Omo/JQ4AvMrzme5jde
HANgMO+6DEhsxEf81+7UxneP2fFt2YBMO//kANyQUV5L584BLQuh3ghbTDAOLhUW
GwhTRPw66rteTHyf6+RnCMKK7k6AyeHk4Oi2A7MZJByasd4IXlSRMVUOUDe9EpZn
FXxxGjuaOj7wxhFvfmb0bO3QTR5pkCEmKX78znB7CMBneBsdtxAHiyF9GZVvFI/n
CX95NRkBD3cHN72hGiRzXM4fWrZ5zhhD1aeI7iQjOkbr7pazSlBaQCLY5Vu9fdUG
6IdI5RsHbUPmfPgX2j258rU7Cg+6ugqJDPnavgnpsOAMO5Z2p4z53X2fzEDviXA5
8q9WDKS1/eMH82T7UW2Z5Fg9yWe4roNehxinG4MSmjDRyl808H7KeUAXIHbXzhpE
J6tjdAX3PqaQLsBcFwIoMy3R9Kbr4e+/8C8k0Sr6RCfjiomdQVt+5Oga4L2UUQUj
tgNCeTHAanCZlwuFLoMxNB2t2z9PfJHAKtQ8yPehF4q2hN62ekKeWrPEvu2cadMx
Nsn/Cp69wyHFKceburCeRZQ9k0WkLe6ougNN4Cb+uSoMmHXrjF4=
=ACyv
-----END PGP SIGNATURE-----

--- End Message ---