Hi Abhijith, The original fix for the CVE-2022-31778 is PR#7499, and it's backported to the 8.1.x branch with related changes (PR#7473) by PR#8880.
- https://github.com/apache/trafficserver/pull/7473 - https://github.com/apache/trafficserver/pull/7499 - https://github.com/apache/trafficserver/pull/8880 Thanks, Masaori On Fri, Oct 28, 2022 at 7:27 AM Abhijith PA <[email protected]> wrote: > Hello. > > I am backporting the recent traffic server security fixes[1] to Debian > LTS buster which have traffic server version 8.0.x. > > If I am right, CVE-2022-25763, CVE-2022-28129, CVE-2022-31779 and > CVE-2022-31780 fixed in commit > > https://github.com/apache/trafficserver/commit/0ca9ef5abc8a535d05150ebc7c16bbfa4e982d16 > > And for CVE-2021-37150, fixed in commit. > > https://github.com/apache/trafficserver/commit/4da63a69cbce10a6cd4d103de9f9b01d9c9be908 > > But for CVE-2022-31778, I couldn't pin point the commit. Does > https://github.com/apache/trafficserver/pull/8899 has to anything with > CVE-2022-31778. > ( > https://github.com/apache/trafficserver/commit/f45d490b7c3a3cb91cbc6a815b9939b19101e4d2 > ) > > Please help to find fix for CVE-2022-31778. Also please correct me if > I missed or to drop unwanted commits from above mentioned CVEs. > > > Abhijith > Debian Developer > > [1] - https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 >
