Bug#1054427: marked as done (trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487)
Your message dated Thu, 02 Nov 2023 14:36:38 + with message-id and subject line Bug#1054427: fixed in trafficserver 9.2.3+ds-1 has caused the Debian Bug report #1054427, regarding trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054427 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: trafficserver Source-Version: 9.2.3+ds-1 Done: Jean Baptiste Favre We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 Nov 2023 13:46:58 +0100 Source: trafficserver Architecture: source Version: 9.2.3+ds-1 Distribution: unstable Urgency: medium Maintainer: Jean Baptiste Favre Changed-By: Jean Baptiste Favre Closes: 1053801 1054427 Changes: trafficserver (9.2.3+ds-1) unstable; urgency=medium . * New upstream version 9.2.3+ds * Update d/trafficserver-experimental-plugins for 9.2.3 release * CVEs fixes (Closes: #1054427, Closes: #1053801) - CVE-2023-39456: Improper Input Validation vulnerability - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor - CVE-2023-44487: The HTTP/2 protocol allows a denial of service Checksums-Sha1: bc119fbd9efd3175f3995001edb01ba079839533 2989 trafficserver_9.2.3+ds-1.dsc bd4752974c4343d6be0deb34ed61e521157bba21 8942124 trafficserver_9.2.3+ds.orig.tar.xz fad635001981b65d66b3ad1a910ba149f130613e 35788 trafficserver_9.2.3+ds-1.debian.tar.xz c4a9525306ac032e2a12737274
Bug#1054427: marked as done (trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487)
Your message dated Tue, 07 Nov 2023 21:18:10 + with message-id and subject line Bug#1054427: fixed in trafficserver 8.1.9+ds-1~deb11u1 has caused the Debian Bug report #1054427, regarding trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054427 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: trafficserver Source-Version: 8.1.9+ds-1~deb11u1 Done: Jean Baptiste Favre We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 Nov 2023 17:00:26 +0100 Source: trafficserver Architecture: source Version: 8.1.9+ds-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Jean Baptiste Favre Changed-By: Jean Baptiste Favre Closes: 1053801 1054427 Changes: trafficserver (8.1.9+ds-1~deb11u1) bullseye-security; urgency=medium . * New upstream version 8.1.9+ds * Update d/patches for 8.1.9+ds-1~deb11u1 release * Update d/trafficserver-experimental-plugins.install * Multiple CVE fixes for 8.1.x (Closes: #1054427, Closes: #1053801) - CVE-2022-47185: Improper input validation vulnerability - CVE-2023-33934: Improper Input Validation vulnerability - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor - CVE-2023-44487: The HTTP/2 protocol allows a denial of service Checksums-Sha1: b8f93f14f6ebf4d2976c34dc7b84cc98d0540fc8 2880 trafficserver_8.1.9+ds-1~deb11u1.dsc 691ce5e7162f39114
Bug#1054427: marked as done (trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487)
Your message dated Tue, 07 Nov 2023 21:17:08 + with message-id and subject line Bug#1054427: fixed in trafficserver 9.2.3+ds-1+deb12u1 has caused the Debian Bug report #1054427, regarding trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054427 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: trafficserver Source-Version: 9.2.3+ds-1+deb12u1 Done: Jean Baptiste Favre We believe that the bug you reported is fixed in the latest version of trafficserver, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jean Baptiste Favre (supplier of updated trafficserver package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 Nov 2023 15:01:39 +0100 Source: trafficserver Architecture: source Version: 9.2.3+ds-1+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Jean Baptiste Favre Changed-By: Jean Baptiste Favre Closes: 1053801 1054427 Changes: trafficserver (9.2.3+ds-1+deb12u1) bookworm-security; urgency=medium . * Multiple CVE fixes for 9.2.x (Closes: #1054427, Closes: #1053801) - CVE-2022-47185: Improper input validation vulnerability - CVE-2023-33934: Improper Input Validation vulnerability - CVE-2023-39456: Improper Input Validation vulnerability - CVE-2023-41752: Exposure of Sensitive Information to an Unauthorized Actor - CVE-2023-44487: The HTTP/2 protocol allows a denial of service * Refresh d/patches for 9.2.3 release * Add patch to workaround missing sphinxcontrib.jquery module * Update d/trafficserver-experimental-plugins for 9.2.3 release Checksums-Sha1: e4fe79a6f10
