Version in base suite: 9.2.5+ds-0+deb12u3 Base version: trafficserver_9.2.5+ds-0+deb12u3 Target version: trafficserver_9.2.5+ds-0+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/trafficserver/trafficserver_9.2.5+ds-0+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/trafficserver/trafficserver_9.2.5+ds-0+deb12u4.dsc changelog | 7 +++ patches/CVE-2025-58136.patch | 89 ++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-65114.patch | 91 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 189 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp8y2_xvql/trafficserver_9.2.5+ds-0+deb12u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp8y2_xvql/trafficserver_9.2.5+ds-0+deb12u4.dsc: no acceptable signature found diff -Nru trafficserver-9.2.5+ds/debian/changelog trafficserver-9.2.5+ds/debian/changelog --- trafficserver-9.2.5+ds/debian/changelog 2025-06-23 16:08:02.000000000 +0000 +++ trafficserver-9.2.5+ds/debian/changelog 2026-04-04 14:52:39.000000000 +0000 @@ -1,3 +1,10 @@ +trafficserver (9.2.5+ds-0+deb12u4) bookworm-security; urgency=medium + + * CVE-2026-65114 + * CVE-2025-58136 + + -- Moritz Mühlenhoff Sat, 04 Apr 2026 16:52:39 +0200 + trafficserver (9.2.5+ds-0+deb12u3) bookworm-security; urgency=medium * CVE-2024-53868 (Closes: #1101996) diff -Nru trafficserver-9.2.5+ds/debian/patches/CVE-2025-58136.patch trafficserver-9.2.5+ds/debian/patches/CVE-2025-58136.patch --- trafficserver-9.2.5+ds/debian/patches/CVE-2025-58136.patch 1970-01-01 00:00:00.000000000 +0000 +++ trafficserver-9.2.5+ds/debian/patches/CVE-2025-58136.patch 2026-04-04 14:52:31.000000000 +0000 @@ -0,0 +1,89 @@ +From cb9e4a162fe16101f3c0a9baafe6bf5baa17b68c Mon Sep 17 00:00:00 2001 +From: Brian Neradt +Date: Mon, 30 Mar 2026 15:04:05 -0500 +Subject: [PATCH] HttpSM - make sure we have a valid buffer to write on. + (#13039) + +--- trafficserver-9.2.5+ds.orig/proxy/http/HttpSM.cc ++++ trafficserver-9.2.5+ds/proxy/http/HttpSM.cc +@@ -2972,7 +2972,6 @@ HttpSM::tunnel_handler_100_continue(int + // does not free the memory from the header + t_state.hdr_info.client_response.destroy(); + tunnel.deallocate_buffers(); +- this->postbuf_clear(); + tunnel.reset(); + + if (server_entry->eos) { +@@ -6103,8 +6102,8 @@ HttpSM::do_setup_post_tunnel(HttpVC_t to + // YTS Team, yamsat Plugin + // if redirect_in_process and redirection is enabled add static producer + +- if (is_using_post_buffer || +- (t_state.redirect_info.redirect_in_process && enable_redirection && this->_postbuf.postdata_copy_buffer_start != nullptr)) { ++ if ((is_using_post_buffer && this->_postbuf.is_valid()) || // Make sure we have a valid buffer in case is buffering. ++ (t_state.redirect_info.redirect_in_process && enable_redirection && this->_postbuf.is_valid())) { + post_redirect = true; + // copy the post data into a new producer buffer for static producer + MIOBuffer *postdata_producer_buffer = new_empty_MIOBuffer(t_state.http_config_param->max_payload_iobuf_index); +--- /dev/null ++++ trafficserver-9.2.5+ds/tests/gold_tests/post/simple-post-valid-buffer-check.test.py +@@ -0,0 +1,59 @@ ++''' ++''' ++# Licensed to the Apache Software Foundation (ASF) under one ++# or more contributor license agreements. See the NOTICE file ++# distributed with this work for additional information ++# regarding copyright ownership. The ASF licenses this file ++# to you under the Apache License, Version 2.0 (the ++# "License"); you may not use this file except in compliance ++# with the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++Test.Summary = ''' ++Make sure we have a valid buffer to write on. This used to make ats crash. ++''' ++Test.ContinueOnFail = True ++ ++# Use microserver instead of httpbin ++server = Test.MakeOriginServer("server") ++ ++# Add a simple response for POST ++request_header = {"headers": "POST /post HTTP/1.1\r\nHost: *\r\n\r\n", "timestamp": "1469733493.993", "body": ""} ++response_header = { ++ "headers": "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Length: 2\r\n\r\n", ++ "timestamp": "1469733493.993", ++ "body": "OK" ++} ++server.addResponse("sessionfile.log", request_header, response_header) ++ ++ts = Test.MakeATSProcess("ts") ++ ++ts.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port)) ++ ++ts.Disk.records_config.update( ++ { ++ 'proxy.config.diags.debug.enabled': 1, ++ 'proxy.config.diags.debug.tags': 'http', ++ 'proxy.config.http.request_buffer_enabled': 1, ++ 'proxy.config.http.number_of_redirections': 1, ++ }) ++ ++test_run = Test.AddTestRun("post buffer test") ++test_run.Processes.Default.StartBefore(server) ++test_run.Processes.Default.StartBefore(ts) ++test_run.Processes.Default.Command = f'curl -v -H "Expect: 100-continue" -d "abc" http://127.0.0.1:{ts.Variables.port}/post' ++test_run.Processes.Default.ReturnCode = 0 ++test_run.StillRunningAfter = server ++test_run.StillRunningAfter = ts # TS should not crash ++ ++# Verify request with Expect header was processed ++ts.Disk.traffic_out.Content += Testers.ContainsExpression("100-continue", "Has Expect header") ++# Verify ATS handled the POST request (no crash) ++ts.Disk.traffic_out.Content += Testers.ContainsExpression("client post", "POST tunnel started") diff -Nru trafficserver-9.2.5+ds/debian/patches/CVE-2026-65114.patch trafficserver-9.2.5+ds/debian/patches/CVE-2026-65114.patch --- trafficserver-9.2.5+ds/debian/patches/CVE-2026-65114.patch 1970-01-01 00:00:00.000000000 +0000 +++ trafficserver-9.2.5+ds/debian/patches/CVE-2026-65114.patch 2026-04-04 14:51:16.000000000 +0000 @@ -0,0 +1,91 @@ +From e5accd7929c5cb96a01cc9afda1f6336dab59b64 Mon Sep 17 00:00:00 2001 +From: Bryan Call +Date: Mon, 30 Mar 2026 13:03:54 -0700 +Subject: [PATCH] Fix prev_is_cr flag handling in chunked encoding parser + (#13038) + +--- trafficserver-9.2.5+ds.orig/proxy/http/HttpTunnel.cc ++++ trafficserver-9.2.5+ds/proxy/http/HttpTunnel.cc +@@ -178,7 +178,7 @@ ChunkedHandler::read_size() + done = true; + break; + } else { +- if ((prev_is_cr = ParseRules::is_cr(*tmp)) == true) { ++ if (ParseRules::is_cr(*tmp)) { + ++num_cr; + } + state = CHUNK_READ_SIZE_CRLF; // now look for CRLF +@@ -200,7 +200,7 @@ ChunkedHandler::read_size() + done = true; + num_cr = 0; + break; +- } else if ((prev_is_cr = ParseRules::is_cr(*tmp)) == true) { ++ } else if (ParseRules::is_cr(*tmp)) { + if (num_cr != 0) { + state = CHUNK_READ_ERROR; + done = true; +@@ -223,7 +223,7 @@ ChunkedHandler::read_size() + num_digits = 0; + num_cr = 0; + state = CHUNK_READ_SIZE; +- } else if ((prev_is_cr = ParseRules::is_cr(*tmp)) == true) { ++ } else if (ParseRules::is_cr(*tmp)) { + if (num_cr != 0) { + Debug("http_chunk", "Found multiple CRs before chunk size"); + state = CHUNK_READ_ERROR; +@@ -236,9 +236,15 @@ ChunkedHandler::read_size() + done = true; + } + } ++ prev_is_cr = ParseRules::is_cr(*tmp); + tmp++; + data_size--; + } ++ ++ if (data_size > 0) { ++ prev_is_cr = ParseRules::is_cr(*tmp); ++ } ++ + if (drop_chunked_trailers) { + chunked_buffer->write(chunked_reader, bytes_used); + chunked_size += bytes_used; +--- trafficserver-9.2.5+ds.orig/tests/gold_tests/chunked_encoding/bad_chunked_encoding.test.py ++++ trafficserver-9.2.5+ds/tests/gold_tests/chunked_encoding/bad_chunked_encoding.test.py +@@ -134,6 +134,8 @@ class MalformedChunkHeaderTest: + "chunked body of 3 bytes for key 2 with chunk stream", "Verify that writing the second response failed.") + self.server.Streams.stdout += Testers.ContainsExpression( + "Unexpected chunked content for key 3: too small", "Verify that writing the third response failed.") ++ self.server.Streams.stdout += Testers.ContainsExpression( ++ "Unexpected chunked content for key 8: too small", "Verify that writing the sixth response failed.") + + # ATS should close the connection before any body gets through. "abcwxyz" + # is the body sent by the client for each of these chunked cases. +--- trafficserver-9.2.5+ds.orig/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml ++++ trafficserver-9.2.5+ds/tests/gold_tests/chunked_encoding/replays/malformed_chunked_header.replay.yaml +@@ -119,6 +119,26 @@ sessions: + status: 200 + + ++- transactions: ++ - client-request: ++ method: "POST" ++ version: "1.1" ++ url: /malformed/chunk/header3 ++ headers: ++ fields: ++ - [ Host, example.com ] ++ - [ Transfer-Encoding, chunked ] ++ - [ uuid, 8 ] ++ content: ++ transfer: plain ++ encoding: uri ++ # chunk-size is set to 1, but no chunk-data is present. ++ data: 1%0D%0A%0D%0A0%0D%0A%0D%0A ++ ++ # The connection will be dropped and this response will not go out. ++ server-response: ++ status: 200 ++ + # + # Now repeat the above two malformed chunk header tests, but on the server + # side. diff -Nru trafficserver-9.2.5+ds/debian/patches/series trafficserver-9.2.5+ds/debian/patches/series --- trafficserver-9.2.5+ds/debian/patches/series 2025-06-23 16:05:59.000000000 +0000 +++ trafficserver-9.2.5+ds/debian/patches/series 2026-04-04 14:52:15.000000000 +0000 @@ -9,3 +9,5 @@ CVE-2024-53868.patch CVE-2025-31698.patch CVE-2025-49763.patch +CVE-2026-65114.patch +CVE-2025-58136.patch