Bug 2117275 (CVE-2022-25763)

Summary: CVE-2022-25763 Apache Traffic Server: Improper input validation in HTTP/2 request validation.
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jered, zrhoffman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Apache trafficserver 9.1.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-24 14:12:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2119574, 2119575    
Bug Blocks: 2119543    

Description Zack Miele 2022-08-10 13:29:20 UTC
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.  This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21

Comment 1 Jered Floyd 2022-08-10 22:06:37 UTC
I will be updating this package to 9.1.3 after I verify no config changes are necessary.

Comment 2 Jered Floyd 2022-08-18 19:20:18 UTC
Note that updated packages are in EPEL testing and should reach stable tomorrow:
 https://bodhi.fedoraproject.org/updates/?packages=trafficserver

(Not sure if process is that I should take this bug so Fedora Updates automatically lifecycles this ticket, or leave it with Product Security.)

Comment 3 Zack Miele 2022-08-18 19:28:06 UTC
Created trafficserver tracking bugs for this issue:

Affects: epel-all [bug 2119574]
Affects: fedora-all [bug 2119575]

Comment 4 Jered Floyd 2022-08-20 02:31:38 UTC
tracking bugs are closed and updates pushed to stable, so Product Security should now be able to close this bug.