Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0330 trafficserver security update 24 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: trafficserver Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-31780 CVE-2022-28129 CVE-2022-25763 CVE-2021-37150 Original Bulletin: http://www.debian.org/lts/security/2023/dla-3279 Comment: CVSS (Max): 7.5 CVE-2022-31780 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3279-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA January 23, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : trafficserver Version : 8.0.2+ds-1+deb10u7 CVE ID : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780 Multiple vulnerabilities were found in trafficserver, a caching proxy server. CVE-2021-37150 Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources CVE-2022-25763 Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. CVE-2022-28129 Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers CVE-2022-31780 Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. For Debian 10 buster, these problems have been fixed in version 8.0.2+ds-1+deb10u7. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmPOawQACgkQhj1N8u2c KO+HfA/7BqH/Q9mQcq3WLzf2qEmxaRrwoN/t/TwmUJRdUrSIBVdCbf7VTtygVyIp eqnfdnWRp/4ZH1Sdg95vB6l0Wu8txVt0KjYltLWrWnjfdMqDBHFk1M45BkXmSHrv QKC8h68J1Y9inpZjGJ680PW0W0XkaSB75khUC58plctUbXeTV9Gchhr29+q96/3R acBBrfBicvebYeaMIE+tzbRIHva5S9R5byczITXCYaz+2+U8BUWDA+QQseO0Yeme STk3X+bNoexBY3BleNULqrcyWopMs3Hb1XcQsAUvJFP/0JqCj+87Ef++9y17efoM PYzPQlIM5uBJlslxH7/iqyC6sWJiK2qUTBhL7dcdKULsHX81szMek0VtOvj6MhsT w4PYGxAKiEk5P6e4NNAj6DngmnFJBZWC/qc3axtkVxH3Lkv/nqxhklowMsgxTkCb LPHOrIefj2Ae6xbCPNs3xcE2fYDmjK1ISqPEoGfX2DB6tItg/EKMbiJ752h0Hf93 4UtIDztOEiybvC8MfpA2xi9jTwWGvTTY1ThTMBB5y4dyb6SqcR5EbLPB6vV4kkoK mxYB4ABCYXv+Nb1c76yDd0qVrWl6Vs1uokdLHsLlzwfSf7us9dJbcRo1Uu3Rn7r4 PmOIPHNACTlY7/9iqcu9QYxqNasNKfGJaDUX+dN4tcJr9ZOyiDw= =ambk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY88o38kNZI30y1K9AQgzCA/8CPxVsUvic3vlGgXNA45kHvkEmcouCwv3 N6kSJn90IZgxKJYfSBinrwm8DeNKjGTs8XNWEhG1ejaccMGSFRVVo3LrpJiPLT6+ IQ4KbIDfnEt2S4RF9TKewqa5ddFQSsQ9T7iJaMioKraHVcH+XTa6kP+BpVmxJ+0z hyDI+siSaq+yQffr3AqX+Rie5jPSXCiNdXIqv+gfq5wPlQVIXQgcHcH6u3PDVkh9 GfSb95rh95kAqAfjXxXddT29CoiewpPPGLSpGXCDraw3uemtIJiWVZ+uhTW5Uz4B ZC9nrlwveM6cCIPkOyLPEls1TvghjKd+F72T+ddzFLcrLENWUXo2uOGj1xMrHrNE gRpMREGimY9huWCc0lnBIGIeD5jbFh+n1MOsPO44grKqoxfS8HSl+Mep5ihx4gAA BU/0Hh1kdmt+I9nTxZfyxvBWKR2Uzy55RVKWbBn5aCDlP4YVWuJsa5eoLC4X5bR5 v/Sl3ILF9+43aGsE2efIMwssiq521yoHu9CyzIfkyuqBXD1d7gNu9HmagUPvDEsj 8Nh+M515z5e7LEqbAPkEwu14iS+AFsf1IiX8NSx3kwEiDbdFasrNkNRBLWZDvMxg +A1aB0qWRuDmmT9CKHP3c1JPC22R2l6u/H2MIb902A9FSShbqLlNCNGpXzB/k/qU 5O2AUr3zeis= =Rni6 -----END PGP SIGNATURE-----