Source: trafficserver Version: 9.2.5+ds-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for trafficserver. CVE-2025-58136[0]: | A bug in POST request handling causes a crash under a certain | condition. This issue affects Apache Traffic Server: from 10.0.0 | through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to | upgrade to version 10.1.2 or 9.2.13, which fix the issue. A | workaround for older versions is to | set proxy.config.http.request_buffer_enabled to 0 (the default value | is 0). CVE-2025-65114[1]: | Apache Traffic Server allows request smuggling if chunked messages | are malformed. This issue affects Apache Traffic Server: from | 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are | recommended to upgrade to version 9.2.13 or 10.1.2, which fix the | issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58136 https://www.cve.org/CVERecord?id=CVE-2025-58136 [1] https://security-tracker.debian.org/tracker/CVE-2025-65114 https://www.cve.org/CVERecord?id=CVE-2025-65114 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
