Operating System:

[Debian]

Published:

24 January 2023

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2023.0330 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.0330
                       trafficserver security update
                              24 January 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           trafficserver
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-31780 CVE-2022-28129 CVE-2022-25763
                   CVE-2021-37150  

Original Bulletin: 
   http://www.debian.org/lts/security/2023/dla-3279

Comment: CVSS (Max):  7.5 CVE-2022-31780 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3279-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
January 23, 2023                              https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : trafficserver
Version        : 8.0.2+ds-1+deb10u7
CVE ID         : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 
                 CVE-2022-31780

Multiple vulnerabilities were found in trafficserver, a caching proxy 
server.

CVE-2021-37150

    Improper Input Validation vulnerability in header parsing of 
    Apache Traffic Server allows an attacker to request secure 
    resources

CVE-2022-25763

    Improper Input Validation vulnerability in HTTP/2 request 
    validation of Apache Traffic Server allows an attacker to create 
    smuggle or cache poison attacks.

CVE-2022-28129

    Improper Input Validation vulnerability in HTTP/1.1 header parsing 
    of Apache Traffic Server allows an attacker to send invalid 
    headers

CVE-2022-31780

    Improper Input Validation vulnerability in HTTP/2 frame handling 
    of Apache Traffic Server allows an attacker to smuggle requests.

For Debian 10 buster, these problems have been fixed in version
8.0.2+ds-1+deb10u7.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmPOawQACgkQhj1N8u2c
KO+HfA/7BqH/Q9mQcq3WLzf2qEmxaRrwoN/t/TwmUJRdUrSIBVdCbf7VTtygVyIp
eqnfdnWRp/4ZH1Sdg95vB6l0Wu8txVt0KjYltLWrWnjfdMqDBHFk1M45BkXmSHrv
QKC8h68J1Y9inpZjGJ680PW0W0XkaSB75khUC58plctUbXeTV9Gchhr29+q96/3R
acBBrfBicvebYeaMIE+tzbRIHva5S9R5byczITXCYaz+2+U8BUWDA+QQseO0Yeme
STk3X+bNoexBY3BleNULqrcyWopMs3Hb1XcQsAUvJFP/0JqCj+87Ef++9y17efoM
PYzPQlIM5uBJlslxH7/iqyC6sWJiK2qUTBhL7dcdKULsHX81szMek0VtOvj6MhsT
w4PYGxAKiEk5P6e4NNAj6DngmnFJBZWC/qc3axtkVxH3Lkv/nqxhklowMsgxTkCb
LPHOrIefj2Ae6xbCPNs3xcE2fYDmjK1ISqPEoGfX2DB6tItg/EKMbiJ752h0Hf93
4UtIDztOEiybvC8MfpA2xi9jTwWGvTTY1ThTMBB5y4dyb6SqcR5EbLPB6vV4kkoK
mxYB4ABCYXv+Nb1c76yDd0qVrWl6Vs1uokdLHsLlzwfSf7us9dJbcRo1Uu3Rn7r4
PmOIPHNACTlY7/9iqcu9QYxqNasNKfGJaDUX+dN4tcJr9ZOyiDw=
=ambk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY88o38kNZI30y1K9AQgzCA/8CPxVsUvic3vlGgXNA45kHvkEmcouCwv3
N6kSJn90IZgxKJYfSBinrwm8DeNKjGTs8XNWEhG1ejaccMGSFRVVo3LrpJiPLT6+
IQ4KbIDfnEt2S4RF9TKewqa5ddFQSsQ9T7iJaMioKraHVcH+XTa6kP+BpVmxJ+0z
hyDI+siSaq+yQffr3AqX+Rie5jPSXCiNdXIqv+gfq5wPlQVIXQgcHcH6u3PDVkh9
GfSb95rh95kAqAfjXxXddT29CoiewpPPGLSpGXCDraw3uemtIJiWVZ+uhTW5Uz4B
ZC9nrlwveM6cCIPkOyLPEls1TvghjKd+F72T+ddzFLcrLENWUXo2uOGj1xMrHrNE
gRpMREGimY9huWCc0lnBIGIeD5jbFh+n1MOsPO44grKqoxfS8HSl+Mep5ihx4gAA
BU/0Hh1kdmt+I9nTxZfyxvBWKR2Uzy55RVKWbBn5aCDlP4YVWuJsa5eoLC4X5bR5
v/Sl3ILF9+43aGsE2efIMwssiq521yoHu9CyzIfkyuqBXD1d7gNu9HmagUPvDEsj
8Nh+M515z5e7LEqbAPkEwu14iS+AFsf1IiX8NSx3kwEiDbdFasrNkNRBLWZDvMxg
+A1aB0qWRuDmmT9CKHP3c1JPC22R2l6u/H2MIb902A9FSShbqLlNCNGpXzB/k/qU
5O2AUr3zeis=
=Rni6
-----END PGP SIGNATURE-----