Bug#1068417: marked as done (trafficserver: CVE-2024-31309: HTTP/2 CONTINUATION frames can be utilized for DoS attacks)

[Debian Bug Tracking System]

Your message dated Sat, 13 Apr 2024 09:35:18 +0000
with message-id <e1rvzn4-003qdc...@fasolo.debian.org>
and subject line Bug#1068417: fixed in trafficserver 9.2.4+ds-1
has caused the Debian Bug report #1068417,
regarding trafficserver: CVE-2024-31309: HTTP/2 CONTINUATION frames can be 
utilized for DoS attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1068417: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068417
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: trafficserver
Version: 9.2.3+ds-1+deb12u1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 8.1.9+ds-1~deb11u1

Hi,

The following vulnerability was published for trafficserver.

CVE-2024-31309[0].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-31309
    https://www.cve.org/CVERecord?id=CVE-2024-31309
[1] https://www.kb.cert.org/vuls/id/421644
[2] https://github.com/apache/trafficserver/pull/11207
[3] https://github.com/apache/trafficserver/pull/11206

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: trafficserver
Source-Version: 9.2.4+ds-1
Done: Jean Baptiste Favre <deb...@jbfavre.org>

We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jean Baptiste Favre <deb...@jbfavre.org> (supplier of updated trafficserver 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Apr 2024 09:56:13 +0200
Source: trafficserver
Architecture: source
Version: 9.2.4+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Jean Baptiste Favre <deb...@jbfavre.org>
Changed-By: Jean Baptiste Favre <deb...@jbfavre.org>
Closes: 1068417
Changes:
 trafficserver (9.2.4+ds-1) unstable; urgency=medium
 .
   * New upstream version 9.2.4+ds
   * Refresh d/patches for 9.2.4 release
   * Update Debian Policy version
   * Update d/copyright fixing lintian superfluous-file-pattern warning
   * Update d/control to fix lintian build-depends-on-obsolete-package warning
   * CVEs fix (Closes: #1068417)
     - CVE-2024-31309: HTTP/2 CONTINUATION DoS attack
Checksums-Sha1:
 0f5eb38ad5c4f6d0442798647c639842886d6ec0 2986 trafficserver_9.2.4+ds-1.dsc
 cd8b0489c081639feab09a8b6b2ee35187bc9237 8946216 
trafficserver_9.2.4+ds.orig.tar.xz
 695ae8f403027f50f52225f92efd7caab6e409d8 35504 
trafficserver_9.2.4+ds-1.debian.tar.xz
 818cc2843daec9fe942d99ab254a0a4e7672f3cf 12681 
trafficserver_9.2.4+ds-1_source.buildinfo
Checksums-Sha256:
 319d1934b38c42944adc1c706e9e027564ff77181aabf8899f87ab2c651f713d 2986 
trafficserver_9.2.4+ds-1.dsc
 9eb6089cfb91d07eb2b44d26c6f37ed1071fd1eb19113e6870afeefdc801cda7 8946216 
trafficserver_9.2.4+ds.orig.tar.xz
 17fe4972ae4ed3cdc3e057a9dd6fcb2593e4a0205d007b5d3bee332217dcca81 35504 
trafficserver_9.2.4+ds-1.debian.tar.xz
 17239c5ee8f222ad577b8504690182f083eb5ff33b0fd4cfc372284fdc118c13 12681 
trafficserver_9.2.4+ds-1_source.buildinfo
Files:
 d294b58fd486357ac37a4eab3b35abeb 2986 web optional trafficserver_9.2.4+ds-1.dsc
 0e061f5cdca01522220fb748ae34e6fb 8946216 web optional 
trafficserver_9.2.4+ds.orig.tar.xz
 6dc7833e006b220a042930bcf23bcc25 35504 web optional 
trafficserver_9.2.4+ds-1.debian.tar.xz
 9f0478d4088648046b2afbfde4958de3 12681 web optional 
trafficserver_9.2.4+ds-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEToRbojDLTUSJBphHtN1Tas99hzcFAmYaTK9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRF
ODQ1QkEyMzBDQjRENDQ4OTA2OTg0N0I0REQ1MzZBQ0Y3RDg3MzcACgkQtN1Tas99
hzd0kg//Wv9577ixOvM7wz25AcU4XM598PNByWsTMpc/R3tJgsjaUMpKUHCqiQoJ
rCg/IOC25squ+ZFPCUtVsiFi5086/zuKve293ol4m+21q4Yk7ntOnXTO+v2UsFaM
sTfOM0k3WsdLqnjyj5z4RiayTDfGD6v2Qq79idzvFDdHWrOEliJgYLlFXCoYxiW7
cAIZSNWN/0Wp5a3jXNDsbqnAp2IRM4681ZAnx7XEiSSqQ0zaeMl7wJqBAITu9yFl
RZVilAhf+iWSPTgDKPC3xKgLsjvcExTeooiXRpAKxe+UwC5RkDbhbGw6T5WRCCju
Pfu7FbWY34e+YFTa4UQekIzKd7W7trmG0mZBYK4z0Si89fq4NnYulTNveDYjAgI9
fUCKnM0ByTqWfZ0/SySJFwKaRQkxTpcMc+SBA7KdhWKY3Xq33PvdQneOoYAdbFQE
I6ZIrB+tWTZsVPTLuVwbnQL8URYjkEjSVC4dkm9N8/DW4xLVC+T6OYBpXUdRNOKe
EEaBajPVNNHL3brDNgAlQlT/+N/U3fYLkYPL76wGGQ38Rj9oHwOloWrdvO+HfCBN
vd9at+k45hh6eucMfzm7Hh+W2gNfMdmRjDOKqLkavvxvhTYw2ZpgKDnEF2D3u+mw
oGzF1p4ro3ZcDvZa6lmJHTiRKnhaIfzWxyxJHjeUN65/J02RXPM=
=TtV3
-----END PGP SIGNATURE-----

pgpXf09jSmMOp.pgp
Description: PGP signature

--- End Message ---