trafficserver - Debian Package Tracker

general

source: trafficserver (main)
version: 9.2.5+ds-1
maintainer: Jean Baptiste Favre (DMD)
uploaders: Aron Xu [DMD]
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 8.1.10+ds-1~deb11u1
old-sec: 8.1.11+ds-0+deb11u2
stable: 9.2.5+ds-0+deb12u2
stable-sec: 9.2.5+ds-0+deb12u3
stable-p-u: 9.2.5+ds-0+deb12u3
unstable: 9.2.5+ds-1

versioned links

8.1.10+ds-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.1.11+ds-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.5+ds-0+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.5+ds-0+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.5+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

trafficserver
trafficserver-dev
trafficserver-experimental-plugins

action needed

source package has 1 unsatisfiable build dependency high

Build dependencies in unstable cannot be satisfied on arm64, ppc64el, and amd64 because: unsatisfied dependency on libpcre3-dev

Created: 2025-02-05 Last update: 2025-07-20 10:33

3 binary packages have unsatisfiable dependencies high

The dependencies of trafficserver=9.2.5+ds-1 cannot be satisfied in unstable on arm64 and amd64 because: unsatisfied dependency on libpcre3
The dependencies of trafficserver-dev=9.2.5+ds-1 cannot be satisfied in unstable on arm64 and amd64 because: unsatisfied dependency on libpcre3
The dependencies of trafficserver-experimental-plugins=9.2.5+ds-1 cannot be satisfied in unstable on arm64 and amd64 because: unsatisfied dependency on libpcre3

Created: 2025-02-05 Last update: 2025-07-20 10:33

A new upstream version is available: 10.0.6 high

A new upstream version 10.0.6 is available, you should consider packaging it.

Created: 2024-08-31 Last update: 2025-07-20 10:33

9 security issues in sid high

There are 9 open security issues in sid.

9 important issues:

CVE-2024-38311: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
CVE-2024-38479: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
CVE-2024-50305: Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
CVE-2024-50306: Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue.
CVE-2024-53868: Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.
CVE-2024-56195: Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
CVE-2024-56202: Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
CVE-2025-31698: ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
CVE-2025-49763: ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Created: 2024-11-14 Last update: 2025-06-24 23:30

7 security issues in bullseye high

There are 7 open security issues in bullseye.

7 important issues:

CVE-2024-38311: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
CVE-2024-50305: Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.
CVE-2024-53868: Apache Traffic Server allows request smuggling if chunked messages are malformed. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Users are recommended to upgrade to version 9.2.10 or 10.0.5, which fixes the issue.
CVE-2024-56195: Improper Access Control vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to version 9.2.9 or 10.0.4, which fixes the issue.
CVE-2024-56202: Expected Behavior Violation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.
CVE-2025-31698: ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol. This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.
CVE-2025-49763: ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Created: 2024-11-14 Last update: 2025-06-24 23:30

Depends on packages which need a new maintainer normal

The packages that trafficserver depends on which need a new maintainer are:

kyotocabinet (#1065694)
- Depends: libkyotocabinet16v5
- Build-Depends: libkyotocabinet-dev

Created: 2024-03-09 Last update: 2025-07-20 10:33

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2024-08-29 Last update: 2025-07-20 10:02

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug (2 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-20 10:02

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 38a17dda5872026e507272c9965e3b8c474c5e9e
Author: Jean Baptiste Favre <debian@jbfavre.org>
Date:   Mon Aug 26 14:22:01 2024 +0200

    Fix salsa-ci

Created: 2024-08-26 Last update: 2025-07-16 08:32

lintian reports 57 warnings normal

Lintian reports 57 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-08-24 Last update: 2024-08-24 06:13

debian/patches: 6 patches to forward upstream low

Among the 6 debian patches available in version 9.2.5+ds-1 of the package, we noticed the following issues:

6 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-08-24 06:19

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-03-11 Last update: 2024-03-11 02:03

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2021-10-18 07:56

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

testing migrations

excuses:
- Migration status for trafficserver (- to 9.2.5+ds-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ trafficserver/amd64 has unsatisfiable dependency
- ∙ ∙ trafficserver/arm64 has unsatisfiable dependency
- ∙ ∙ Updating trafficserver would introduce bugs in testing: #1087531, #1099691, #1101996, #1108044, #999938
- ∙ ∙ trafficserver unsatisfiable Build-Depends(-Arch) on amd64: libpcre3-dev
- ∙ ∙ trafficserver unsatisfiable Build-Depends(-Arch) on arm64: libpcre3-dev
- ∙ ∙ blocked by freeze: is not in testing
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/t/trafficserver.html
- ∙ ∙ uninstallable on arch amd64, not running autopkgtest there
- ∙ ∙ uninstallable on arch arm64, not running autopkgtest there
- ∙ ∙ Waiting for reproducibility test results on amd64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on arm64 - info ♻
- ∙ ∙ 330 days old (needed 20 days)
- Not considered

news

[rss feed]

[2025-06-26] Accepted trafficserver 9.2.5+ds-0+deb12u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-06-24] Accepted trafficserver 9.2.5+ds-0+deb12u3 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-04-13] Accepted trafficserver 9.2.5+ds-0+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-04-05] Accepted trafficserver 9.2.5+ds-0+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-02-16] Accepted trafficserver 8.1.11+ds-0+deb11u2 (source) into oldstable-security (Daniel Leidert)
[2024-09-26] Accepted trafficserver 8.1.11+ds-0+deb11u1 (source) into oldstable-security (Adrian Bunk)
[2024-08-31] Accepted trafficserver 9.2.5+ds-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-08-26] Accepted trafficserver 9.2.5+ds-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-08-23] Accepted trafficserver 9.2.5+ds-1 (source) into unstable (Jean Baptiste Favre)
[2024-04-28] Accepted trafficserver 8.1.7-0+deb10u4 (source) into oldoldstable (Adrian Bunk)
[2024-04-22] Accepted trafficserver 9.2.4+ds-2 (source) into unstable (Jean Baptiste Favre)
[2024-04-20] Accepted trafficserver 8.1.10+ds-1~deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-04-15] Accepted trafficserver 9.2.4+ds-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-04-14] Accepted trafficserver 9.2.4+ds-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-04-14] Accepted trafficserver 8.1.10+ds-1~deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2024-04-13] Accepted trafficserver 9.2.4+ds-1 (source) into unstable (Jean Baptiste Favre)
[2024-02-06] trafficserver REMOVED from testing (Debian testing watch)
[2024-01-14] trafficserver 9.2.3+ds-1+deb12u1 MIGRATED to testing (Debian testing watch)
[2023-11-07] Accepted trafficserver 8.1.9+ds-1~deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2023-11-07] Accepted trafficserver 9.2.3+ds-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2023-11-05] Accepted trafficserver 8.1.7-0+deb10u3 (source) into oldoldstable (Adrian Bunk)
[2023-11-05] Accepted trafficserver 9.2.3+ds-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2023-11-05] Accepted trafficserver 8.1.9+ds-1~deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Jean Baptiste Favre)
[2023-11-02] Accepted trafficserver 9.2.3+ds-1 (source) into unstable (Jean Baptiste Favre)
[2023-09-30] Accepted trafficserver 8.1.7-0+deb10u2 (source) into oldoldstable (Adrian Bunk)
[2023-09-05] Accepted trafficserver 9.2.2+ds-1 (source) into unstable (Jean Baptiste Favre)
[2023-07-17] trafficserver REMOVED from testing (Debian testing watch)
[2023-06-29] Accepted trafficserver 8.1.7-0+deb10u1 (source) into oldoldstable (Adrian Bunk)
[2023-06-26] trafficserver 9.2.1+ds-1 MIGRATED to testing (Debian testing watch)
[2023-06-24] Accepted trafficserver 8.1.7+ds-1~deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Jean Baptiste Favre)

bugs [bug history graph]

all: 3 4
RC: 3 4
I&N: 0
M&W: 0
F&P: 0
patch: 1 2

links

homepage
lintian (0, 57)
buildd: logs, checks, debcheck, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 32)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.5+ds-1ubuntu2
4 bugs (1 patch)
patches for 9.2.5+ds-1ubuntu2