Re: traffic server CVE-2022-31778

Mon, 31 Oct 2022 10:43:25 -0700 

Hello Masaori. 

Thank you for the reply.

I have one more doubt. There is CVE-2022-31779[1] which reference 
the security announcement 
https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21

But the announcement not mentioned above mentioned CVE. Is this issue 
fixed in 8.1.5 with commits/PRs we already discussed.

--abhijith

On 28/10/22 08:31 AM, Masaori Koshiba wrote:
>    Hi Abhijith,
> 
>    The original fix for the CVE-2022-31778 is PR#7499, and it's backported
>    to the 8.1.x branch with related changes (PR#7473) by PR#8880.
> 
>    - [1]https://github.com/apache/trafficserver/pull/7473
>    - [2]https://github.com/apache/trafficserver/pull/7499
>    - [3]https://github.com/apache/trafficserver/pull/8880
> 
>    Thanks,
>    Masaori
> 
>    On Fri, Oct 28, 2022 at 7:27 AM Abhijith PA <[4]abhij...@debian.org>
>    wrote:
> 
>      Hello.
> 
>      I am backporting the recent traffic server security fixes[1] to
>      Debian
>      LTS buster which have traffic server version 8.0.x.
> 
>      If I am right, CVE-2022-25763, CVE-2022-28129, CVE-2022-31779 and
>      CVE-2022-31780 fixed in commit
>      [5]https://github.com/apache/trafficserver/commit/0ca9ef5abc8a535d05
>      150ebc7c16bbfa4e982d16
> 
>      And for CVE-2021-37150, fixed in commit.
>      [6]https://github.com/apache/trafficserver/commit/4da63a69cbce10a6cd
>      4d103de9f9b01d9c9be908
> 
>      But for CVE-2022-31778, I couldn't pin point the commit. Does
>      [7]https://github.com/apache/trafficserver/pull/8899 has to anything
>      with
>      CVE-2022-31778.
>      ([8]https://github.com/apache/trafficserver/commit/f45d490b7c3a3cb91
>      cbc6a815b9939b19101e4d2)
> 
>      Please help to find fix for CVE-2022-31778. Also please correct me
>      if
>      I missed or to drop unwanted commits from above mentioned CVEs.
> 
>      Abhijith
>      Debian Developer
> 
>      [1] -
>      [9]https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21
> 
> References
> 
>    1. https://github.com/apache/trafficserver/pull/7473
>    2. https://github.com/apache/trafficserver/pull/7499
>    3. https://github.com/apache/trafficserver/pull/8880
>    4. mailto:abhij...@debian.org
>    5. 
> https://github.com/apache/trafficserver/commit/0ca9ef5abc8a535d05150ebc7c16bbfa4e982d16
>    6. 
> https://github.com/apache/trafficserver/commit/4da63a69cbce10a6cd4d103de9f9b01d9c9be908
>    7. https://github.com/apache/trafficserver/pull/8899
>    8. 
> https://github.com/apache/trafficserver/commit/f45d490b7c3a3cb91cbc6a815b9939b19101e4d2
>    9. https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21

Reply via email to