- ------------------------------------------------------------------------- Debian LTS Advisory DLA-3279-1 [email protected] https://www.debian.org/lts/security/ Abhijith PA January 23, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : trafficserver Version : 8.0.2+ds-1+deb10u7 CVE ID : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780 Multiple vulnerabilities were found in trafficserver, a caching proxy server. CVE-2021-37150 Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources CVE-2022-25763 Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. CVE-2022-28129 Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers CVE-2022-31780 Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. For Debian 10 buster, these problems have been fixed in version 8.0.2+ds-1+deb10u7. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3279-1: trafficserver security update
January 23, 2023
Multiple vulnerabilities were found in trafficserver, a caching proxy server
Summary
CVE-2021-37150
Improper Input Validation vulnerability in header parsing of
Apache Traffic Server allows an attacker to request secure
resources
CVE-2022-25763
Improper Input Validation vulnerability in HTTP/2 request
validation of Apache Traffic Server allows an attacker to create
smuggle or cache poison attacks.
CVE-2022-28129
Improper Input Validation vulnerability in HTTP/1.1 header parsing
of Apache Traffic Server allows an attacker to send invalid
headers
CVE-2022-31780
Improper Input Validation vulnerability in HTTP/2 frame handling
of Apache Traffic Server allows an attacker to smuggle requests.
For Debian 10 buster, these problems have been fixed in version
8.0.2+ds-1+deb10u7.
We recommend that you upgrade your trafficserver packages.
For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : trafficserver
Version : 8.0.2+ds-1+deb10u7
CVE ID : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129
News
HOWTOs
Features
A Complete Guide to Security Automation & Reporting Using Open Source Tools
How to Check if Your Linux System is Infected with a Virus
Security Considerations for Azure Linux & Windows Subsystem for Linux Users
Admins Receive Automated Linux Patch Management & Improved Security with ManageEngine Endpoint Central
Linux Malware: The Truth About This Growing Threat [Updated]
About Us
Powered By
