OESA-2024-1955

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1955
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-1955.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2024-1955
Upstream
Published
2024-08-09T11:08:45Z
Modified
2025-09-03T06:19:20.212384Z
Summary
trafficserver security update
Details

Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.

Security Fix(es):

Apache Traffic Server accepts characters that are not allowed for HTTP field names and forwards malformed requests to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.(CVE-2023-38522)

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable.

This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4.

Users can set a new setting (proxy.config.http.dropchunkedtrailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.(CVE-2024-35161)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:24.03-LTS / trafficserver

Package

Name
trafficserver
Purl
pkg:rpm/openEuler/trafficserver&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.2.5-1.oe2403

Ecosystem specific 

{
    "x86_64": [
        "trafficserver-9.2.5-1.oe2403.x86_64.rpm",
        "trafficserver-debuginfo-9.2.5-1.oe2403.x86_64.rpm",
        "trafficserver-debugsource-9.2.5-1.oe2403.x86_64.rpm",
        "trafficserver-devel-9.2.5-1.oe2403.x86_64.rpm",
        "trafficserver-perl-9.2.5-1.oe2403.x86_64.rpm"
    ],
    "src": [
        "trafficserver-9.2.5-1.oe2403.src.rpm"
    ],
    "aarch64": [
        "trafficserver-9.2.5-1.oe2403.aarch64.rpm",
        "trafficserver-debuginfo-9.2.5-1.oe2403.aarch64.rpm",
        "trafficserver-debugsource-9.2.5-1.oe2403.aarch64.rpm",
        "trafficserver-devel-9.2.5-1.oe2403.aarch64.rpm",
        "trafficserver-perl-9.2.5-1.oe2403.aarch64.rpm"
    ]
}