Name | CVE-2021-44040 |
Description | Improper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-5153-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
trafficserver (PTS) | buster (security), buster, buster (lts) | 8.1.7-0+deb10u4 | fixed |
| bullseye | 8.1.10+ds-1~deb11u1 | fixed |
| bullseye (security) | 8.1.11+ds-0+deb11u1 | fixed |
| bookworm | 9.2.4+ds-0+deb12u1 | fixed |
| bookworm (security) | 9.2.5+ds-0+deb12u1 | fixed |
| sid | 9.2.5+ds-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6
https://github.com/apache/trafficserver/commit/85c319a7f7c0537bee408ea25df6f1a5ed0a4071
https://github.com/apache/trafficserver/commit/c4e6661a5a205b1f60279f0e66aa496023185967
https://github.com/apache/trafficserver/commit/8c6f2ed84ba0d8e6255baceb99ee891ebe1ce473