CVE-2024-35161

NameCVE-2024-35161
DescriptionApache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. This can be utilized for request smuggling and may also lead cache poisoning if the origin servers are vulnerable. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Users can set a new setting (proxy.config.http.drop_chunked_trailers) not to forward chunked trailer section. Users are recommended to upgrade to version 8.1.11 or 9.2.5, which fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3897-1, DSA-5758-1
Debian Bugs1077141

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
trafficserver (PTS)buster (security), buster, buster (lts)8.1.7-0+deb10u4vulnerable
bullseye8.1.10+ds-1~deb11u1vulnerable
bullseye (security)8.1.11+ds-0+deb11u1fixed
bookworm9.2.4+ds-0+deb12u1vulnerable
bookworm (security)9.2.5+ds-0+deb12u1fixed
sid9.2.5+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
trafficserversourcebuster(unfixed)end-of-life
trafficserversourcebullseye8.1.11+ds-0+deb11u1DLA-3897-1
trafficserversourcebookworm9.2.5+ds-0+deb12u1DSA-5758-1
trafficserversource(unstable)9.2.5+ds-11077141

Notes

https://www.openwall.com/lists/oss-security/2024/07/25/1
https://github.com/apache/trafficserver/commit/3ba1e2685f89bcd631b66748f70f69a5eecf741b
Search for package or bug name: Reporting problems