SB2020050404 - Debian update for trafficserver

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-17559)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and scheme parsing. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-17565)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and chunked encoding. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-1944)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to improper input validation in HTTP headers and a Content-Length header. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.

4) Resource management error (CVE-ID: CVE-2020-9481)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the affected software is vulnerable to a HTTP/2 slow read attack. A remote attacker can send HTTP requests in pieces slowly, one at a time to a Web server and cause a denial of service condtion on the target system.

Remediation

Install update from vendor's website.

References

• https://www.debian.org/security/2020/dsa-4672