Package: trafficserver Version: 8.0.2+ds-1+deb10u4 Severity: grave Tags: security Justification: user security hole
-- System Information: Debian Release: 10.10 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages trafficserver depends on: ii adduser 3.118 ii libbrotli1 1.0.7-2+deb10u1 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libcurl4 7.64.0-4+deb10u2 ii libgcc1 1:8.3.0-6 ii libgeoip1 1.6.12-1 ii libhwloc5 1.11.12-3 ii libluajit-5.1-2 2.1.0~beta3+dfsg-5.1 ii liblzma5 5.2.4-1 ii libncursesw6 6.1+20181013-2+deb10u2 ii libpcre3 2:8.39-12 ii libssl1.1 1.1.1d-0+deb10u6 ii libstdc++6 8.3.0-6 ii libtcl8.6 8.6.9+dfsg-2 ii libtinfo6 6.1+20181013-2+deb10u2 ii libunwind8 1.2.1-10~deb10u1 ii libyaml-cpp0.6 0.6.2-4 ii lsb-base 10.2019051400 ii perl 5.28.1-6+deb10u1 ii zlib1g 1:1.2.11.dfsg-1 trafficserver recommends no packages. Versions of packages trafficserver suggests: pn trafficserver-experimental-plugins <none> -- Configuration Files: /etc/trafficserver/ip_allow.config changed [not included] /etc/trafficserver/records.config changed [not included] -- no debconf information Description: ATS is vulnerable to various HTTP/1.x and HTTP/2 attacks CVE: CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash CVE-2021-32567 Reading HTTP/2 frames too many times CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin Version Affected: ATS 7.0.0 to 7.1.12 ATS 8.0.0 to 8.1.1 ATS 9.0.0 to 9.0.1 Mitigation: 7.x users should upgrade to 8.1.2 or 9.0.2, or later versions 8.x users should upgrade to 8.1.2 or later versions 9.x users should upgrade to 9.0.2 or later versions
