[SECURITY] [DLA 3279-1] trafficserver security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3279-1] trafficserver security update
From: Abhijith PA <abhijith@debian.org>
Date: Mon, 23 Jan 2023 16:39:56 +0530
Message-id: <[🔎] Y85rBGKWUjDpjQ8h@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3279-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
January 23, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : trafficserver
Version        : 8.0.2+ds-1+deb10u7
CVE ID         : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 
                 CVE-2022-31780

Multiple vulnerabilities were found in trafficserver, a caching proxy 
server.

CVE-2021-37150

    Improper Input Validation vulnerability in header parsing of 
    Apache Traffic Server allows an attacker to request secure 
    resources

CVE-2022-25763

    Improper Input Validation vulnerability in HTTP/2 request 
    validation of Apache Traffic Server allows an attacker to create 
    smuggle or cache poison attacks.

CVE-2022-28129

    Improper Input Validation vulnerability in HTTP/1.1 header parsing 
    of Apache Traffic Server allows an attacker to send invalid 
    headers

CVE-2022-31780

    Improper Input Validation vulnerability in HTTP/2 frame handling 
    of Apache Traffic Server allows an attacker to smuggle requests.

For Debian 10 buster, these problems have been fixed in version
8.0.2+ds-1+deb10u7.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmPOawQACgkQhj1N8u2c
KO+HfA/7BqH/Q9mQcq3WLzf2qEmxaRrwoN/t/TwmUJRdUrSIBVdCbf7VTtygVyIp
eqnfdnWRp/4ZH1Sdg95vB6l0Wu8txVt0KjYltLWrWnjfdMqDBHFk1M45BkXmSHrv
QKC8h68J1Y9inpZjGJ680PW0W0XkaSB75khUC58plctUbXeTV9Gchhr29+q96/3R
acBBrfBicvebYeaMIE+tzbRIHva5S9R5byczITXCYaz+2+U8BUWDA+QQseO0Yeme
STk3X+bNoexBY3BleNULqrcyWopMs3Hb1XcQsAUvJFP/0JqCj+87Ef++9y17efoM
PYzPQlIM5uBJlslxH7/iqyC6sWJiK2qUTBhL7dcdKULsHX81szMek0VtOvj6MhsT
w4PYGxAKiEk5P6e4NNAj6DngmnFJBZWC/qc3axtkVxH3Lkv/nqxhklowMsgxTkCb
LPHOrIefj2Ae6xbCPNs3xcE2fYDmjK1ISqPEoGfX2DB6tItg/EKMbiJ752h0Hf93
4UtIDztOEiybvC8MfpA2xi9jTwWGvTTY1ThTMBB5y4dyb6SqcR5EbLPB6vV4kkoK
mxYB4ABCYXv+Nb1c76yDd0qVrWl6Vs1uokdLHsLlzwfSf7us9dJbcRo1Uu3Rn7r4
PmOIPHNACTlY7/9iqcu9QYxqNasNKfGJaDUX+dN4tcJr9ZOyiDw=
=ambk
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3278-1] tiff security update
Next by Date: [SECURITY] [DLA 3280-1] libde265 security update
Previous by thread: [SECURITY] [DLA 3278-1] tiff security update
Next by thread: [SECURITY] [DLA 3280-1] libde265 security update
Index(es):
- Date
- Thread