On Fri, Jun 25, 2021 at 08:59:25AM +0200, Lorenzo Maurizi wrote: > Package: trafficserver > Version: 8.0.2+ds-1+deb10u4 > Severity: grave > Tags: security > Justification: user security hole > > CVE: > CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning > CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters > CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash > CVE-2021-32567 Reading HTTP/2 frames too many times > CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin
For 8.1.x these are fixed by https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 I've add full references to the Security Tracker: https://security-tracker.debian.org/tracker/CVE-2021-35474 https://security-tracker.debian.org/tracker/CVE-2021-32567 https://security-tracker.debian.org/tracker/CVE-2021-32566 https://security-tracker.debian.org/tracker/CVE-2021-32565 https://security-tracker.debian.org/tracker/CVE-2021-27577 Jean Baptiste, can prepare updates for buster-security? Cheers, Moritz
