An update for trafficserver is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1955 Final 1.0 1.0 2024-08-09 Initial 2024-08-09 2024-08-09 openEuler SA Tool V1.0 2024-08-09 trafficserver security update An update for trafficserver is now available for openEuler-24.03-LTS Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache. Security Fix(es): Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.(CVE-2023-38522) Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.(CVE-2024-35161) An update for trafficserver is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical trafficserver https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1955 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-38522 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-35161 https://nvd.nist.gov/vuln/detail/CVE-2023-38522 https://nvd.nist.gov/vuln/detail/CVE-2024-35161 openEuler-24.03-LTS trafficserver-9.2.5-1.oe2403.aarch64.rpm trafficserver-debuginfo-9.2.5-1.oe2403.aarch64.rpm trafficserver-debugsource-9.2.5-1.oe2403.aarch64.rpm trafficserver-devel-9.2.5-1.oe2403.aarch64.rpm trafficserver-perl-9.2.5-1.oe2403.aarch64.rpm trafficserver-9.2.5-1.oe2403.src.rpm trafficserver-9.2.5-1.oe2403.x86_64.rpm trafficserver-debuginfo-9.2.5-1.oe2403.x86_64.rpm trafficserver-debugsource-9.2.5-1.oe2403.x86_64.rpm trafficserver-devel-9.2.5-1.oe2403.x86_64.rpm trafficserver-perl-9.2.5-1.oe2403.x86_64.rpm Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. 2024-08-09 CVE-2023-38522 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N trafficserver security update 2024-08-09 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1955 Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue. 2024-08-09 CVE-2024-35161 openEuler-24.03-LTS Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N trafficserver security update 2024-08-09 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1955