I'm not authoritative on anything here, but this seems to obviously be related to this commit: https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f
That file otherwise hasn't changed since 2019 and that segment remains the same in 8.1.11, so I would assume that all versions prior to 9.2.6 are affected. The advisory probably only references 9.2.x and 10.x as those are the only version series under support. (Since 8.x is not, perhaps it should be removed from the Downloads page.) It's not clear to the circumstances under which this error represents a meaningful vulnerability, but if you are running an 8.x release there are other fixed CVEs that seem of greater importance. --Jered ----- On Jan 19, 2025, at 4:31 PM, Daniel Leidert dleid...@debian.org wrote: > Hi, > > Am Mittwoch, dem 01.01.2025 um 03:17 +0100 schrieb Daniel Leidert: >> >> does CVE-2024-50306 also affect the 8.1 series? The report itself only >> lists 9.x and 10.x as vulnerable. But the affected code is the same in >> the 8.1 series. Thus, I was wondering if this CVE is really just an >> issue for 9.x and 10.x? > > I'd like to bring attention again to this question. Any confirmation or > information is highly appreciated. > > Regards, Daniel
