CVE-2021-38161

Name	CVE-2021-38161
Description	Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5153-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
trafficserver (PTS)	buster (security), buster, buster (lts)	8.1.7-0+deb10u4	fixed
	bullseye	8.1.10+ds-1~deb11u1	fixed
	bullseye (security)	8.1.11+ds-0+deb11u1	fixed
	bookworm	9.2.4+ds-0+deb12u1	fixed
	bookworm (security)	9.2.5+ds-0+deb12u1	fixed
	sid	9.2.5+ds-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
trafficserver	source	buster	8.0.2+ds-1+deb10u6	DSA-5153-1
trafficserver	source	bullseye	8.1.1+ds-1.1+deb11u1	DSA-5153-1
trafficserver	source	(unstable)	9.1.0+ds-1

Notes

https://www.openwall.com/lists/oss-security/2021/11/02/11
Mark first 9.x version as the fixed version as workaround, the issue does
not affect the 9.x series.
https://github.com/apache/trafficserver/commit/feefc5e4abc5011dfad5dcfef3f22998faf6e2d4 (8.1.x)
but reverted pot 8.1.3 in https://github.com/apache/trafficserver/commit/bbbf80d75105313b51153c7fde0bf0edc8cf7783