Nice catch! It looks like the announcement is missing the CVE-2022-31779. CVE-2022-31779 is originally fixed by PR#9010. 8.1.5 and 9.1.3 has the backports of it (PR#9015 and PR#99016).
- PR#9010: https://github.com/apache/trafficserver/pull/9010 - PR#9015: https://github.com/apache/trafficserver/pull/9015 - PR#9016: https://github.com/apache/trafficserver/pull/9016 @Bryan, we need a following announcement about it. — Masaori On Tue, Nov 1, 2022 at 2:43 AM Abhijith PA <abhij...@debian.org> wrote: > Hello Masaori. > > Thank you for the reply. > > I have one more doubt. There is CVE-2022-31779[1] which reference > the security announcement > https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 > > But the announcement not mentioned above mentioned CVE. Is this issue > fixed in 8.1.5 with commits/PRs we already discussed. > > --abhijith > > On 28/10/22 08:31 AM, Masaori Koshiba wrote: > > Hi Abhijith, > > > > The original fix for the CVE-2022-31778 is PR#7499, and it's > backported > > to the 8.1.x branch with related changes (PR#7473) by PR#8880. > > > > - [1]https://github.com/apache/trafficserver/pull/7473 > > - [2]https://github.com/apache/trafficserver/pull/7499 > > - [3]https://github.com/apache/trafficserver/pull/8880 > > > > Thanks, > > Masaori > > > > On Fri, Oct 28, 2022 at 7:27 AM Abhijith PA <[4]abhij...@debian.org> > > wrote: > > > > Hello. > > > > I am backporting the recent traffic server security fixes[1] to > > Debian > > LTS buster which have traffic server version 8.0.x. > > > > If I am right, CVE-2022-25763, CVE-2022-28129, CVE-2022-31779 and > > CVE-2022-31780 fixed in commit > > [5] > https://github.com/apache/trafficserver/commit/0ca9ef5abc8a535d05 > > 150ebc7c16bbfa4e982d16 > > > > And for CVE-2021-37150, fixed in commit. > > [6] > https://github.com/apache/trafficserver/commit/4da63a69cbce10a6cd > > 4d103de9f9b01d9c9be908 > > > > But for CVE-2022-31778, I couldn't pin point the commit. Does > > [7]https://github.com/apache/trafficserver/pull/8899 has to > anything > > with > > CVE-2022-31778. > > ([8] > https://github.com/apache/trafficserver/commit/f45d490b7c3a3cb91 > > cbc6a815b9939b19101e4d2) > > > > Please help to find fix for CVE-2022-31778. Also please correct me > > if > > I missed or to drop unwanted commits from above mentioned CVEs. > > > > Abhijith > > Debian Developer > > > > [1] - > > [9]https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 > > > > References > > > > 1. https://github.com/apache/trafficserver/pull/7473 > > 2. https://github.com/apache/trafficserver/pull/7499 > > 3. https://github.com/apache/trafficserver/pull/8880 > > 4. mailto:abhij...@debian.org > > 5. > https://github.com/apache/trafficserver/commit/0ca9ef5abc8a535d05150ebc7c16bbfa4e982d16 > > 6. > https://github.com/apache/trafficserver/commit/4da63a69cbce10a6cd4d103de9f9b01d9c9be908 > > 7. https://github.com/apache/trafficserver/pull/8899 > > 8. > https://github.com/apache/trafficserver/commit/f45d490b7c3a3cb91cbc6a815b9939b19101e4d2 > > 9. https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 >
