summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Aron Xu [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2021-38161
commit
feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Author: Alan M. Carroll <amc@apache.org>
Date: Wed Oct 27 13:41:47 2021 -0500
Add some checking to validate the scheme matches the wire protocol. (#8464)
Gbp-Pq: Name 0020-CVE-2021-38161.patch
Aron Xu [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2021-37149
commit
2addc8ca71449ceac0d5b80172460ee09c938f5e
Author: Brian Neradt <brian.neradt@gmail.com>
Date: Wed Oct 27 11:30:07 2021 -0500
Detect and handle chunk header size truncation (#8458)
This detects if a chunk header size is too large and, if so, closes the
connection.
Gbp-Pq: Name 0020-CVE-2021-37149.patch
Aron Xu [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2021-37148
commit
e2c9ac217f24dc3e91ff2c9f52b52093e8fb32d5
Author: Brian Neradt <brian.neradt@verizonmedia.com>
Date: Wed Oct 27 11:30:32 2021 -0500
8.1.x: Reject Transfer-Encoding in pre-HTTP/1.1 requests (#8457)
Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier
versions, we must reject Transfer-Encoding rather than interpret it
since downstream proxies may ignore the chunk header and rely upon the
Content-Length, or interpret the body some other way. These differences
in interpretation may open up the door to compatibility issues. To
protect against this, we reply with a 4xx if the client uses
Transfer-Encoding with HTTP versions that do not support it.
Gbp-Pq: Name 0020-CVE-2021-37148.patch
Aron Xu [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2021-37147
commit
5cad961c87cb07fbb8fa6890685d9878a169378d
Author: Brian Neradt <brian.neradt@gmail.com>
Date: Wed Oct 27 11:29:43 2021 -0500
Fix output '\n' HTTP field line endings (#8460)
This is another attempt to fix what was initially addressed in #8096 but
got backed out via #8305. That more extensive patch was considered too
invasive and potentially risky. This more targeted patch will fix
clients that only send the \n endings but it will force the \r\n line
ending on output.
This was mostly in place except for header lines that get
m_n_v_raw_printable set, which seems to be most header lines. The
addition checks to see if the header line ends in \r\n. If it does not
the m_n_v_raw_printable flag gets cleared and the logic that explicitly
adds the line endings while be invoked on output.
Gbp-Pq: Name 0020-CVE-2021-37147.patch
Evan Zelkowitz [Tue, 22 Jun 2021 21:32:55 +0000 (14:32 -0700)]
[PATCH] Fixes (#7971)
* String the url fragment for outgoing requests (#7966)
Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
(cherry picked from commit
2b13eb33794574e62249997b4ba654d943a10f2d)
* Ensure that the content-length value is only digits (#7964)
Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
(cherry picked from commit
668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca)
* Schedule H2 reenable event only if it's necessary
Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945)
* Fix dynamic-stack-buffer-overflow of cachekey plugin
* Check dst_size include null termination
(cherry picked from commit
5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b)
Co-authored-by: Bryan Call <bcall@apache.org>
Co-authored-by: Masakazu Kitajo <maskit@apache.org>
Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
Co-authored-by: Masaori Koshiba <masaori@apache.org>
Gbp-Pq: Name 0019-CVE-2021-35474_32567_32566_32565_27577.patch
Brian Neradt [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2020-17509
Origin: backport
Applied-upstream: https://github.com/apache/trafficserver/pull/7359
Last-Update: 2020-06-25
Last-Update: 2020-06-25
Gbp-Pq: Name 0018-CVE-2020-17509.patch
Brian Neradt [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2020-17508
Origin: backport
Applied-upstream: https://github.com/apache/trafficserver/pull/7358
Last-Update: 2020-12-06
Last-Update: 2020-12-06
Gbp-Pq: Name 0018-CVE-2020-17508.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2020-9494
Origin: backport
Applied-Upstream: https://github.com/apache/trafficserver/pull/6922
Last-Update: 2020-06-25
Last-Update: 2020-06-25
Gbp-Pq: Name 0017-CVE-2020-9494.patch
Aron Xu [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
CVE-2020-9481
===================================================================
Gbp-Pq: Name 0016-CVE-2020-9481.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix for CVE-2020-1944
Origin: backport
Applied-Upstream: https://github.com/apache/trafficserver/pull/6390
Last-Update: 2020-04-16
Last-Update: 2020-04-16
Gbp-Pq: Name 0016-CVE-2020-1944.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix for CVE-2019-17565
Origin: backport
Applied-Upstream: https://github.com/apache/trafficserver/pull/6398
Last-Update: 2020-04-16
Last-Update: 2020-04-16
Gbp-Pq: Name 0016-CVE-2019-17565.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix for CVE-2019-17559
Origin: backport
Applied-Upstream: https://github.com/apache/trafficserver/pull/6389
Last-Update: 2020-04-16
Last-Update: 2020-04-16
Gbp-Pq: Name 0016-CVE-2019-17559.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
HTTP/2 fix with realloc (CVE-2019-9518)
Origin: backport, https://github.com/apache/trafficserver/pull/5850
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-08-26
Last-Update: 2019-08-26
Gbp-Pq: Name 0015-8.0.5-CVE-backport.patch
Bryan Call [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
HTTP/2 rate limiting
Origin: backport, https://github.com/apache/trafficserver/pull/5822
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-08-26
Fix for CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-10079
Last-Update: 2019-08-26
Gbp-Pq: Name 0015-8.0.4-CVE-backport.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Update compilation chain after embedded libyamlcpp removal
Origin: other
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-01-30
Last-Update: 2019-01-30
Gbp-Pq: Name 0014-use_system_yaml-cpp.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix Perl interpreter path
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2019-01-03
Last-Update: 2019-01-03
Gbp-Pq: Name 0013-fix-perl-interpreter-path.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix various speeling issues
Forwarded: https://github.com/apache/trafficserver/pull/4750
Applied-Upstream: https://github.com/apache/trafficserver/commit/
af0ad4a1880a21743e98331855bb78e15d5406ef
Last-Update: 2019-01-03
Last-Update: 2019-01-03
Gbp-Pq: Name 0012-fix-spelling-checks.patch
zhang [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix Segmentation fault in ShowCache::handleCacheEvent
Origin: upstream
Bug: https://github.com/apache/trafficserver/issues/4328
Applied-Upstream: https://github.com/apache/trafficserver/commit/
616eb10bfc35599a2c93ff30879d584a05ddf83e
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2018-10-17
Last-Update: 2018-10-17
Gbp-Pq: Name 0011-fix-segfault.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Fix build issue with MySQL 8
Origin: other, https://bugs.launchpad.net/ubuntu/+source/trafficserver/+bug/
1795362
Forwarded: https://github.com/apache/trafficserver/pull/4360
Applied-Upstream: https://github.com/apache/trafficserver/commit/
05b30527974416768515506f69da338652c23260
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2018-10-06
The my_bool type is no longer used in MySQL source code.
Any third-party code that used this type to represent C
boolean variables should use the bool or int C type instead.
Last-Update: 2018-10-06
Gbp-Pq: Name 0009-fix-mysql-8-build.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Force python3 usage, add libfakeroot-sysv to blacklist
Origin: other
Last-Update: 2018-09-24
Last-Update: 2018-09-24
Gbp-Pq: Name 0008-fix-python-check-unused-dependencies.patch
Jean Baptiste Favre [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Make documentation build works outside of git repository
Origin: other
Last-Update: 2019-01-03
Current documentation build requires git and curl to get some stuff from the internet
This patch aims to delete those dependencies, forcing git branch to master,
and using Debian provided plantuml instead of downloading it from apache mirror
Last-Update: 2019-01-03
Gbp-Pq: Name 0006-fix-doc-build.patch
Reiner Herrmann [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
make the build reproducible
Origin: other, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833176
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2016-11-18
Last-Update: 2016-11-18
Gbp-Pq: Name 0003-reproductible-build.patch
Aron Xu [Tue, 2 Feb 2016 04:17:24 +0000 (12:17 +0800)]
Use -mcx16 on x86 platforms only
Gbp-Pq: Name 0001-Use-mcx16-on-x86-platforms-only.patch
Abhijith PA [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
trafficserver (8.0.2+ds-1+deb10u7) buster-security; urgency=medium
* Non-maintainer upload by the Debian LTS Team.
* Multiple CVE fixes
+ CVE-2021-37150: Protocol vs scheme mismatch
+ CVE-2022-25763 Improper input validation on HTTP/2 headers
+ CVE-2022-28129 Insufficient Validation of HTTP/1.x Headers
+ CVE-2022-31780 HTTP/2 framing vulnerabilities
[dgit import unpatched trafficserver 8.0.2+ds-1+deb10u7]
Abhijith PA [Sat, 29 Oct 2022 12:33:47 +0000 (13:33 +0100)]
Import trafficserver_8.0.2+ds-1+deb10u7.debian.tar.xz
[dgit import tarball trafficserver 8.0.2+ds-1+deb10u7 trafficserver_8.0.2+ds-1+deb10u7.debian.tar.xz]
Jean Baptiste Favre [Wed, 30 Jan 2019 13:45:09 +0000 (13:45 +0000)]
Import trafficserver_8.0.2+ds.orig.tar.xz
[dgit import orig trafficserver_8.0.2+ds.orig.tar.xz]
projects / trafficserver.git / log