Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21
I will be updating this package to 9.1.3 after I verify no config changes are necessary.
Note that updated packages are in EPEL testing and should reach stable tomorrow: https://bodhi.fedoraproject.org/updates/?packages=trafficserver (Not sure if process is that I should take this bug so Fedora Updates automatically lifecycles this ticket, or leave it with Product Security.)
Created trafficserver tracking bugs for this issue: Affects: epel-all [bug 2119574] Affects: fedora-all [bug 2119575]
tracking bugs are closed and updates pushed to stable, so Product Security should now be able to close this bug.