Your message dated Sat, 24 Jun 2023 19:48:08 +0000
with message-id <[email protected]>
and subject line Bug#1038248: fixed in trafficserver 8.1.7+ds-1~deb11u1
has caused the Debian Bug report #1038248,
regarding trafficserver: CVE-2022-47184 CVE-2023-30631 CVE-2023-33933
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1038248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038248
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: trafficserver
Version: 9.2.0+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 8.1.6+ds-1~deb11u1
Control: found -1 8.0.2+ds-1+deb10u6
Hi,
The following vulnerabilities were published for trafficserver.
CVE-2022-47184[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Software Foundation Apache Traffic
| Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0.
CVE-2023-30631[1]:
| Improper Input Validation vulnerability in Apache Software
| Foundation Apache Traffic Server. The configuration
| option proxy.config.http.push_method_enabled didn't function.
| However, by default the PUSH method is blocked in the ip_allow
| configuration file.This issue affects Apache Traffic Server: from
| 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later
| versions 9.x users should upgrade to 9.2.1 or later versions
CVE-2023-33933[2]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Software Foundation Apache Traffic
| Server.This issue affects Apache Traffic Server: from 8.0.0 through
| 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x
| users should upgrade to 9.2.1 or later versions
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-47184
https://www.cve.org/CVERecord?id=CVE-2022-47184
[1] https://security-tracker.debian.org/tracker/CVE-2023-30631
https://www.cve.org/CVERecord?id=CVE-2023-30631
[2] https://security-tracker.debian.org/tracker/CVE-2023-33933
https://www.cve.org/CVERecord?id=CVE-2023-33933
[3] https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: trafficserver
Source-Version: 8.1.7+ds-1~deb11u1
Done: Jean Baptiste Favre <[email protected]>
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean Baptiste Favre <[email protected]> (supplier of updated trafficserver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jun 2023 11:16:56 +0200
Source: trafficserver
Architecture: source
Version: 8.1.7+ds-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Jean Baptiste Favre <[email protected]>
Changed-By: Jean Baptiste Favre <[email protected]>
Closes: 1038248
Changes:
trafficserver (8.1.7+ds-1~deb11u1) bullseye-security; urgency=high
.
* New upstream version 8.1.7+ds
* Multiple CVE fixes for 8.1.x (Closes: #1038248)
+ CVE-2022-47184: Exposure of Sensitive Information to an Unauthorized
Actor vulnerability
+ CVE-2023-30631: Improper Input Validation vulnerability
+ CVE-2023-33933: Exposure of Sensitive Information to an Unauthorized
Actor vulnerability
Checksums-Sha1:
923493577a6486303f4a71917f909bfa097eeb51 2880
trafficserver_8.1.7+ds-1~deb11u1.dsc
4d920add87a83bb571c3a5e5607b837aeb092c0d 7951500
trafficserver_8.1.7+ds.orig.tar.xz
2de673bd4616e9b7b1352024c30da5fc968abf7b 45988
trafficserver_8.1.7+ds-1~deb11u1.debian.tar.xz
e8be2b37944714f3d896edbb70b7a8ae0bcdb5bf 14170
trafficserver_8.1.7+ds-1~deb11u1_source.buildinfo
Checksums-Sha256:
844258fa50617ad97ecebe09d2676d50b33b3529ba86e2eb5b057ce2877a0c60 2880
trafficserver_8.1.7+ds-1~deb11u1.dsc
07c8c1030bff108ac2afe3d6807b0bd2dca56dd8499b9698c8b50f041bb8c0cc 7951500
trafficserver_8.1.7+ds.orig.tar.xz
979748c9125b973a1911a8fe753ec0ae13e60660cd26fe647efd875274d3377f 45988
trafficserver_8.1.7+ds-1~deb11u1.debian.tar.xz
6c6205325cdc9f04a22b569107c04e75ddfaee15db0c7fe318aa01054a03da64 14170
trafficserver_8.1.7+ds-1~deb11u1_source.buildinfo
Files:
9a6300ab09c30cd094d0b023915e5c65 2880 web optional
trafficserver_8.1.7+ds-1~deb11u1.dsc
0f915454b4b269f59150df0d0defdc72 7951500 web optional
trafficserver_8.1.7+ds.orig.tar.xz
9650016b4fc5a870c8226bffce60a342 45988 web optional
trafficserver_8.1.7+ds-1~deb11u1.debian.tar.xz
fdab1c9ce7562055b2bbdc13cc0552db 14170 web optional
trafficserver_8.1.7+ds-1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmSS3PJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzdE7g/+MCFP8GFFVAF3Y20qzVKhFeRuf2veGRsJZ3vo584lxTs0SNOnOYJfQWpm
Yxt/dnw36WLOZqz2NI7XrhWulWBSdtXSBngho5/q+o7d/YJc6KTSNOJGQabqimnR
DG8QzTnWus/0Sm1Gn6Hk2zKeXbxNDqn5KWHuqtJ8FtpZfG5n/TUFFfXsU0C96rEk
9epumPQRQ48pJCZkSq4C41tnuPsLbMe4aYuDKcjceNFFxBFZPZPuP/Xh33WQeN8u
WbBT1oUzimgS9D3ksgO2z/o18IXC3IHyGIRruByH/v4crzK9o1bjMM0PFgBUgHWN
CW4W1++YgHldqDq4loiwGfY44Le6M1LOnMScLljvmqgw2Ht2ZJdguZP5kAC419E4
XhRN+TGthi9y5Bw01gAeBxCiVrBPBy6eqgcsUsUiQTWgQ0StDSdulpWLFaofAeK2
fzpuPUl2sEQbHq0Mh3atSqeLJjNhBumZXUl1KjLRzjNDzmaRM9re/o6AAd3binT/
Hk7nhza0WwyJbcWBaWiPES9e8IvhrslErIhKFjb6TEFunvkfJfAhsbQQYdrItjqC
5qrCV7JAxUCojtvIUF7hEJ02ksBZ7p4I1EvKWfd/4g6qbPuIkr+cfZDf7RJuKflY
bYc/IxwE33tZ+mYCSUYUxHccpN5kdqKilS8TsTdkXpxzaWwXhdE=
=Pana
-----END PGP SIGNATURE-----
--- End Message ---
