Debian Trafficserver vulnerabilities

CVE-2021-38161 [HIGH] CVE-2021-38161: trafficserver - Improper Authentication vulnerability in TLS origin verification of Apache Traff... Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8. Scope: local bookworm: resolved (fixed in 9.1.0+ds-1) bullseye: resolved (fixed in 8.1.1+ds-1.1+deb11u1) sid: resolved (fixed in 9.1.0+ds-1)

CVE-2021-32566 [HIGH] CVE-2021-32566: trafficserver - Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allow... Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Scope: local bookworm: resolved (fixed in 8.1.1+ds-1.1) bullseye: resolved (fixed in 8.1.1+ds-1.1) sid: resolved (fixed in 8.1.1+ds-1.1)

CVE-2021-37150 [HIGH] CVE-2021-37150: trafficserver - Improper Input Validation vulnerability in header parsing of Apache Traffic Serv... Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. Scope: local bookworm: resolved (fixed in 9.1.3+ds-1) bullseye: resolved (fixed in 8.1.5+ds-1~deb11u1) sid: resolved (fixed in 9.1.3+ds-1)

CVE-2021-27577 [HIGH] CVE-2021-27577: trafficserver - Incorrect handling of url fragment vulnerability of Apache Traffic Server allows... Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. Scope: local bookworm: resolved (fixed in 8.1.1+ds-1.1) bullseye: resolved (fixed in 8.1.1+ds-1.1) sid: resolved (fixed in 8.1.1+ds-1.1)

CVE-2021-37148 [HIGH] CVE-2021-37148: trafficserver - Improper input validation vulnerability in header parsing of Apache Traffic Serv... Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.0.1. Scope: local bookworm: resolved (fixed in 9.1.1+ds-1) bullseye: resolved (fixed in 8.1.1+ds-1.1+deb11u1) sid: resolved (fixed in 9.1.1+ds-1)

CVE-2021-41585 [HIGH] CVE-2021-41585: trafficserver - Improper Input Validation vulnerability in accepting socket connections in Apach... Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffic Server 5.0.0 to 9.1.0. Scope: local bookworm: resolved bullseye: resolved sid: resolved

CVE-2021-27737 [HIGH] CVE-2021-27737: trafficserver - Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experime... Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin. Scope: local bookworm: resolved bullseye: resolved sid: resolved

CVE-2020-1944 [CRITICAL] CVE-2020-1944: trafficserver - There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8... There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and Transfer-Encoding and Content length headers. Upgrade to versions 7.1.9 and 8.0.6 or later versions. Scope: local bookworm: resolved (fixed in 8.0.6+ds-1) bullseye: resolved (fixed in 8.0.6+ds-1) sid: resolved (fixed in 8.0.6+ds-1)

CVE-2020-9481 [HIGH] CVE-2020-9481: trafficserver - Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a... Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is vulnerable to a HTTP/2 slow read attack. Scope: local bookworm: resolved (fixed in 8.0.7+ds-1) bullseye: resolved (fixed in 8.0.7+ds-1) sid: resolved (fixed in 8.0.7+ds-1)

CVE-2020-9494 [HIGH] CVE-2020-9494: trafficserver - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vul... Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread. Scope: local bookworm: resolved (fixed in 8.0.8+ds-1) bullseye: resolved (fixed in 8.0.8+ds-1) sid: resolved (fixed in 8.0.8+ds-1)

CVE-2020-17508 [HIGH] CVE-2020-17508: trafficserver - The ATS ESI plugin has a memory disclosure vulnerability. If you are running the... The ATS ESI plugin has a memory disclosure vulnerability. If you are running the plugin please upgrade. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. Scope: local bookworm: resolved (fixed in 8.1.1+ds-1) bullseye: resolved (fixed in 8.1.1+ds-1) sid: resolved (fixed in 8.1.1+ds-1)

CVE-2020-17509 [HIGH] CVE-2020-17509: trafficserver - ATS negative cache option is vulnerable to a cache poisoning attack. If you have... ATS negative cache option is vulnerable to a cache poisoning attack. If you have this option enabled, please upgrade or disable this feature. Apache Traffic Server versions 7.0.0 to 7.1.11 and 8.0.0 to 8.1.0 are affected. Scope: local bookworm: resolved (fixed in 8.1.1+ds-1) bullseye: resolved (fixed in 8.1.1+ds-1) sid: resolved (fixed in 8.1.1+ds-1)

CVE-2019-17559 [CRITICAL] CVE-2019-17559: trafficserver - There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8... There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and scheme parsing. Upgrade to versions 7.1.9 and 8.0.6 or later versions. Scope: local bookworm: resolved (fixed in 8.0.6+ds-1) bullseye: resolved (fixed in 8.0.6+ds-1) sid: resolved (fixed in 8.0.6+ds-1)

CVE-2019-17565 [CRITICAL] CVE-2019-17565: trafficserver - There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8... There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.8, and 8.0.0 to 8.0.5 with a smuggling attack and chunked encoding. Upgrade to versions 7.1.9 and 8.0.6 or later versions. Scope: local bookworm: resolved (fixed in 8.0.6+ds-1) bullseye: resolved (fixed in 8.0.6+ds-1) sid: resolved (fixed in 8.0.6+ds-1)

CVE-2019-9512 [HIGH] CVE-2019-9512: h2o - Some HTTP/2 implementations are vulnerable to ping floods, potentially leading t... Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Scope: local bookworm: resolved (fixed in 2.2.5+dfsg2-3) bullse

CVE-2019-9514 [HIGH] CVE-2019-9514: h2o - Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading... Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Scope: local book

CVE-2019-10079 [HIGH] CVE-2019-10079: trafficserver - Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier ver... Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions. Scope: local bookworm: resolved (fixed in 8.0.5+ds-1) bullseye: resolved (fixed in

CVE-2019-9518 [HIGH] CVE-2019-9518: trafficserver - Some HTTP/2 implementations are vulnerable to a flood of empty frames, potential... Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. Thi

CVE-2019-9515 [HIGH] CVE-2019-9515: h2o - Some HTTP/2 implementations are vulnerable to a settings flood, potentially lead... Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued,

CVE-2018-1318 [HIGH] CVE-2018-1318: trafficserver - Adding method ACLs in remap.config can cause a segfault when the user makes a ca... Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request. This affects versions Apache Traffic Server (ATS) 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions. Scope: local bookworm: resolved (fi