Source: trafficserver Version: 9.2.0+ds-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 8.1.6+ds-1~deb11u1 Control: found -1 8.0.2+ds-1+deb10u6
Hi, The following vulnerabilities were published for trafficserver. CVE-2022-47184[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Software Foundation Apache Traffic | Server.This issue affects Apache Traffic Server: 8.0.0 to 9.2.0. CVE-2023-30631[1]: | Improper Input Validation vulnerability in Apache Software | Foundation Apache Traffic Server. The configuration | option proxy.config.http.push_method_enabled didn't function. | However, by default the PUSH method is blocked in the ip_allow | configuration file.This issue affects Apache Traffic Server: from | 8.0.0 through 9.2.0. 8.x users should upgrade to 8.1.7 or later | versions 9.x users should upgrade to 9.2.1 or later versions CVE-2023-33933[2]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Software Foundation Apache Traffic | Server.This issue affects Apache Traffic Server: from 8.0.0 through | 9.2.0. 8.x users should upgrade to 8.1.7 or later versions 9.x | users should upgrade to 9.2.1 or later versions If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-47184 https://www.cve.org/CVERecord?id=CVE-2022-47184 [1] https://security-tracker.debian.org/tracker/CVE-2023-30631 https://www.cve.org/CVERecord?id=CVE-2023-30631 [2] https://security-tracker.debian.org/tracker/CVE-2023-33933 https://www.cve.org/CVERecord?id=CVE-2023-33933 [3] https://lists.apache.org/thread/tns2b4khyyncgs5v5p9y35pobg9z2bvs Regards, Salvatore
