[SECURITY] [DLA 3897-1] trafficserver security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3897-1] trafficserver security update
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 27 Sep 2024 02:08:20 +0300
Message-id: <[🔎] ZvXpZFf7gWuC3VLe@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3897-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
September 27, 2024                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : trafficserver
Version        : 8.1.11+ds-0+deb11u1
CVE ID         : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296
Debian Bug     : 1077141

Multiple vulnerabilities were fixed in trafficserver,
a caching proxy server.

CVE-2023-38522

    Incomplete field name check allows request smuggling

CVE-2024-35161

    Incomplete check for chunked trailer section allows
    request smuggling

CVE-2024-35296

    Invalid Accept-Encoding can force forwarding requests

For Debian 11 bullseye, these problems have been fixed in version
8.1.11+ds-0+deb11u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmb16WAACgkQiNJCh6LY
mLGlPQ/+PxjaluVwMICScmOUvUZwYCG1Un/QEohnY2uDsCfFrAoccXNLFt3Cx0kS
C9qpYQe4QUySO8zAsabhGkjWVXdJkr7YfV1AZSavgl1TpsR7sXN1IfxHju4HcT40
1lGUl5ThZfQ5abukivkAvhXbIUIrZtR7IWONkiXadNP0isMv89x4S+u0YaN5+Xx7
yW+ix9PlnDRlJuPNZbu/heoGDLFp8TljxEK6CnM+any+nXLuGOFDPjDvwAwWsXDz
byENSEpfpb+ya47y5TzfULXI0YRtQ1GvPFpXUaTUeZhBhrH9s6Sd9V20bGT5mpN1
6XSud4tJ3YlWJ5gfzvjVXltgu+UCgOnpKE9xjtvamTmt0Ed08euZwzDdYotPIL3/
q8x+ncU8MQvRzwmi7LzF2ck8Ql5bA6Txt1ZbKm4XOH7w9BLkLIZZX6UwjRi5Ta36
P7TvlbxpxODH++VeRaHkzx304PA8bH82l155tEgKKTCiRBOJeokKNRaMottod2OH
Vd34IpuquB0aIN4YnaXQ9XlI5+hZSPwjoeZHX2h1mQKQNIHPgE5Kqx/iuTw+zpzD
UAha28L/OQTJXEXVrX+tl998zS5ah+jt5T6AfWVqa3tB5KKymp92lKugznIFLbSv
8YQ45XYkM5S4Q/SP/92VffEwISvO2OOwtFbyYnQslCQykFTrp90=
=I6DL
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3896-1] mediawiki security update
Next by Date: [SECURITY] [DLA 3898-1] nghttp2 security update
Previous by thread: [SECURITY] [DLA 3896-1] mediawiki security update
Next by thread: [SECURITY] [DLA 3898-1] nghttp2 security update
Index(es):
- Date
- Thread