Synopsis:
trafficserver security updateSummary:
An update for trafficserver is now available for openEuler-24.03-LTS-SP3Description:
Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache.
Security Fix(es):
A bug in POST request handling causes a crash under a certain condition.
This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.
Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.
A workaround for older versions is to set proxy.config.http.request_buffer_enabled to 0 (the default value is 0).(CVE-2025-58136)
Apache Traffic Server allows request smuggling if chunked messages are malformed.
This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1.
Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.(CVE-2025-65114)Topic:
An update for trafficserver is now available for master/openEuler-20.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
HighAffected Component:
trafficserver
9.2.11-3.oe2403sp39.2.11-3.oe2403sp39.2.11-3.oe2403sp39.2.11-3.oe2403sp39.2.11-3.oe2403sp3Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H