Bug 2117275 (CVE-2022-25763) - CVE-2022-25763 Apache Traffic Server: Improper input validation in HTTP/2 request validation.
Summary: CVE-2022-25763 Apache Traffic Server: Improper input validation in HTTP/2 req...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-25763
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2119574 2119575
Blocks: 2119543
TreeView+ depends on / blocked
 
Reported: 2022-08-10 13:29 UTC by Zack Miele
Modified: 2022-08-24 14:12 UTC (History)
2 users (show)

Fixed In Version: Apache trafficserver 9.1.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-24 14:12:38 UTC


Attachments (Terms of Use)

Description Zack Miele 2022-08-10 13:29:20 UTC
Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks.  This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21

Comment 1 Jered Floyd 2022-08-10 22:06:37 UTC
I will be updating this package to 9.1.3 after I verify no config changes are necessary.

Comment 2 Jered Floyd 2022-08-18 19:20:18 UTC
Note that updated packages are in EPEL testing and should reach stable tomorrow:
 https://bodhi.fedoraproject.org/updates/?packages=trafficserver

(Not sure if process is that I should take this bug so Fedora Updates automatically lifecycles this ticket, or leave it with Product Security.)

Comment 3 Zack Miele 2022-08-18 19:28:06 UTC
Created trafficserver tracking bugs for this issue:

Affects: epel-all [bug 2119574]
Affects: fedora-all [bug 2119575]

Comment 4 Jered Floyd 2022-08-20 02:31:38 UTC
tracking bugs are closed and updates pushed to stable, so Product Security should now be able to close this bug.


Note You need to log in before you can comment on or make changes to this bug.