Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.
I will be updating this package to 9.1.3 after I verify no config changes are necessary.
Note that updated packages are in EPEL testing and should reach stable tomorrow:
(Not sure if process is that I should take this bug so Fedora Updates automatically lifecycles this ticket, or leave it with Product Security.)
Created trafficserver tracking bugs for this issue:
Affects: epel-all [bug 2119574]
Affects: fedora-all [bug 2119575]
tracking bugs are closed and updates pushed to stable, so Product Security should now be able to close this bug.