Register | Log in

trafficserver

fast, scalable and extensible HTTP/1.1 and HTTP/2.0 caching proxy server

Choose email to subscribe with

general

source: trafficserver (main)
version: 8.0.3+ds-4
maintainer: Jean Baptiste Favre (DMD) (DM)
uploaders: Emanuele Rocca [DMD] – Aron Xu [DMD]
arch: any
std-ver: 4.4.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 7.0.0-6+deb9u2
old-sec: 7.0.0-6+deb9u2
old-bpo: 7.1.6+ds-1~bpo9+2
stable: 8.0.2+ds-1
testing: 8.0.3+ds-4
unstable: 8.0.3+ds-4

versioned links

7.0.0-6+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.1.6+ds-1~bpo9+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0.3+ds-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

trafficserver
trafficserver-dev
trafficserver-experimental-plugins

action needed

A new upstream version is available: 8.0.4 high

A new upstream version 8.0.4 is available, you should consider packaging it.

Created: 2019-08-17 Last update: 2019-08-19 07:12

4 security issues in stretch high

There are 4 open security issues in stretch.

3 important issues:

CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

1 issue skipped by the security teams:

CVE-2018-11783: sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.

Please fix them.

Created: 2019-02-26 Last update: 2019-08-16 10:06

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Please fix them.

Created: 2019-08-16 Last update: 2019-08-16 10:06

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Please fix them.

Created: 2019-08-16 Last update: 2019-08-16 10:06

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Please fix them.

Created: 2019-08-16 Last update: 2019-08-16 10:06

testing migrations

This package will soon be part of the auto-hwloc transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2019-08-07] trafficserver 8.0.3+ds-4 MIGRATED to testing (Debian testing watch)
[2019-08-05] Accepted trafficserver 8.0.3+ds-4 (source) into unstable (Jean Baptiste Favre)
[2019-08-05] trafficserver 8.0.3+ds-3 MIGRATED to testing (Debian testing watch)
[2019-07-31] Accepted trafficserver 8.0.3+ds-3 (source amd64) into unstable (Emanuele Rocca)
[2019-07-09] trafficserver 8.0.3+ds-2 MIGRATED to testing (Debian testing watch)
[2019-03-26] Accepted trafficserver 8.0.3+ds-2 (source) into unstable (Jean Baptiste Favre)
[2019-03-25] Accepted trafficserver 8.0.3+ds-1 (source) into unstable (Jean Baptiste Favre)
[2019-03-08] Accepted trafficserver 7.1.6+ds-1~bpo9+2 (source amd64) into stretch-backports (Aron Xu)
[2019-03-08] Accepted trafficserver 7.1.6+ds-1~bpo9+1 (source amd64) into stretch-backports (Aron Xu)
[2019-02-05] trafficserver 8.0.2+ds-1 MIGRATED to testing (Debian testing watch)
[2019-01-30] Accepted trafficserver 8.0.2+ds-1 (source) into unstable (Jean Baptiste Favre)
[2019-01-17] trafficserver 8.0.1-4 MIGRATED to testing (Debian testing watch)
[2019-01-11] Accepted trafficserver 8.0.1-4 (source) into unstable (Jean Baptiste Favre)
[2019-01-07] Accepted trafficserver 8.0.1-3 (source) into unstable (Jean Baptiste Favre)
[2019-01-04] Accepted trafficserver 8.0.1-2 (source) into unstable (Jean Baptiste Favre)
[2018-12-17] trafficserver 8.0.1-1 MIGRATED to testing (Debian testing watch)
[2018-12-03] Accepted trafficserver 8.0.1-1 (source) into unstable (Jean Baptiste Favre)
[2018-11-23] trafficserver 8.0.0-4 MIGRATED to testing (Debian testing watch)
[2018-11-05] Accepted trafficserver 8.0.0-4 (source) into unstable (Jean Baptiste Favre)
[2018-11-02] Accepted trafficserver 8.0.0-3 (source) into unstable (Jean Baptiste Favre)
[2018-10-17] Accepted trafficserver 8.0.0-2 (source amd64) into unstable (Jean Baptiste Favre)
[2018-10-06] Accepted trafficserver 8.0.0-1 (source amd64) into unstable (Jean Baptiste Favre)
[2018-09-02] Accepted trafficserver 7.1.4+ds-1~bpo9+1 (source amd64) into stretch-backports (Jean Baptiste Favre)
[2018-09-01] Accepted trafficserver 7.0.0-6+deb9u2 (source amd64) into proposed-updates->stable-new, proposed-updates (Jean Baptiste Favre) (signed by: Moritz Mühlenhoff)
[2018-08-31] Accepted trafficserver 7.0.0-6+deb9u2 (source amd64) into stable->embargoed, stable (Jean Baptiste Favre) (signed by: Moritz Mühlenhoff)
[2018-08-12] trafficserver 7.1.4+ds-1 MIGRATED to testing (Debian testing watch)
[2018-08-06] Accepted trafficserver 7.1.4+ds-1 (source amd64) into unstable (Jean Baptiste Favre)
[2018-08-04] Accepted trafficserver 7.1.3+ds-4~bpo9+1 (source amd64) into stretch-backports (Aron Xu)
[2018-06-28] trafficserver 7.1.3+ds-4 MIGRATED to testing (Debian testing watch)
[2018-06-22] Accepted trafficserver 7.1.3+ds-4 (source amd64) into unstable (Jean Baptiste Favre)

1
2

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.0.3+ds-2
1 bug

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing