#1108044 trafficserver: CVE-2025-49763 CVE-2025-31698

Package:
src:trafficserver
Source:
src:trafficserver
Submitter:
Salvatore Bonaccorso
Date:
2025-06-26 16:04:04 UTC
Severity:
normal
Tags:
#1108044#5
Date:
2025-06-19 16:17:33 UTC
From:
To:
Hi,

The following vulnerabilities were published for trafficserver.

CVE-2025-49763[0]:
| ESI plugin does not have the limit for maximum inclusion depth, and
| that allows excessive memory consumption if malicious instructions
| are inserted.  Users can use a new setting for the plugin (--max-
| inclusion-depth) to limit it. This issue affects Apache Traffic
| Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.
| Users are recommended to upgrade to version 9.2.11 or 10.0.6,  which
| fixes the issue.


CVE-2025-31698[1]:
| ACL configured in ip_allow.config or remap.config does not use IP
| addresses that are provided by PROXY protocol.  Users can use a new
| setting (proxy.config.acl.subjects) to choose which IP addresses to
| use for the ACL if Apache Traffic Server is configured to accept
| PROXY protocol.  This issue affects undefined: from 10.0.0 through
| 10.0.6, from 9.0.0 through 9.2.10.  Users are recommended to upgrade
| to version 9.2.11 or 10.0.6, which fixes the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49763
https://www.cve.org/CVERecord?id=CVE-2025-49763
[1] https://security-tracker.debian.org/tracker/CVE-2025-31698
https://www.cve.org/CVERecord?id=CVE-2025-31698
[2] https://www.openwall.com/lists/oss-security/2025/06/17/7

Regards,
Salvatore
#1108044#12
Date:
2025-06-26 16:03:16 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
trafficserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108044@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated trafficserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 23 Jun 2025 21:06:25 +0200
Source: trafficserver
Architecture: source
Version: 9.2.5+ds-0+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Jean Baptiste Favre <debian@jbfavre.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Closes: 1101996 1108044
Changes:
 trafficserver (9.2.5+ds-0+deb12u3) bookworm-security; urgency=medium
 .
   * CVE-2024-53868 (Closes: #1101996)
   * CVE-2025-31698, CVE-2025-49763 (Closes: #1108044)
Checksums-Sha1:
 fca66b36b3d1338b107311c93b66ea6cbc956901 2897 trafficserver_9.2.5+ds-0+deb12u3.dsc
 2a8bba2c719dfeaee3ef4a4a82318ad5af4d847d 218312 trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
 7d3de1b134a5efd7837ac923c627cc50c4b29920 14871 trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
Checksums-Sha256:
 b679a9fce56f200940f6ee634ef5f2c69edeaac1864d5449e111db051893bf53 2897 trafficserver_9.2.5+ds-0+deb12u3.dsc
 0600abbb9255b062e2f947e987b5510e62e1252ff22eb477329a6eb7ae1ff104 218312 trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
 66acd2cf41f1f5397d702ac12021f6af7670cb639ff4fb967aa324f00772df5f 14871 trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
Files:
 04037bf32af3bef87c6aadeac567ee41 2897 web optional trafficserver_9.2.5+ds-0+deb12u3.dsc
 e3050708d612aa61a05eae4faffd85d8 218312 web optional trafficserver_9.2.5+ds-0+deb12u3.debian.tar.xz
 13b01357e3fee8b11c3362fce8cd8b32 14871 web optional trafficserver_9.2.5+ds-0+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmhZvI0ACgkQEMKTtsN8
TjYVEw/9EsJyczgINOvZmW6r0wL8edRi0ffHSvWAApEqRpfN0B4dX1x4qxXOPrcB
/IHqZRZa11rtjSzh713ZZ09nboHO1Z8h+h54QrI+hWB09JzuItM95OD6hniNE/nt
RdL05WLtEbCo8bYGA86fLVJ9laufCMMVXGg7FVvyjX7QQbFmvhpNzbZooPBk9qsa
8oWNTu5vrHH9FEjdVyy8MtPHGRj1ax3D0i4aXt+uRWI5k5OMo9loPB0BnKVAehQF
BQRSBeTGTuhCpktsv6qaCc0NMoi+yiUP1Ni6CpkPegmpFtL8t8tq3iduDZv56yw1
7nrn0vVzn+1uDDPLzq9v4t2iTE9C7yAknOJXIJZvPVpRDTTxGb+kXYc6CEF7f1A3
5FMV0cn2dvCt9UtieOUqpL8m7++/pAvmlT2znuRPwTHUK92w7L5IJrX3NBBof0r5
DGhjLGzMzdQKCm9VJceykd7hVu/ujYhKdX/Hr2zy22I0pFIVUrHsGiVjW8jlwjrH
jWAkA9lUfyE3SV6BUwCWcIifspM/au6485A8BEO4iF0f26WkW19CBRCr8CamYVUg
tShiUk7BFxfK0sMyeaMus9tNCTme+JikPBcFyumZuAa2BilVnL1FSkwZpdg0R9d7
eObWaBhH6LIUW8bTUinj9YjoaUjqcV/utqdcwqiEh6F4YeCujMA=
=Dpp4
-----END PGP SIGNATURE-----