Version in base suite: 8.1.5+ds-1~deb11u1 Base version: trafficserver_8.1.5+ds-1~deb11u1 Target version: trafficserver_8.1.6+ds-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/trafficserver/trafficserver_8.1.5+ds-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/trafficserver/trafficserver_8.1.6+ds-1~deb11u1.dsc CHANGELOG-8.1.5 | 2 +- CHANGELOG-8.1.6 | 3 +++ configure | 30 +++++++++++++++--------------- configure.ac | 4 ++-- debian/changelog | 10 ++++++++++ debian/upstream/signing-key.asc | 36 ++++++++++++++++++++++++++++++++++++ plugins/authproxy/authproxy.cc | 9 +++++++++ proxy/http/HttpSM.cc | 3 +++ tools/package/trafficserver.spec | 2 +- 9 files changed, 80 insertions(+), 19 deletions(-) diff -Nru trafficserver-8.1.5+ds/CHANGELOG-8.1.5 trafficserver-8.1.6+ds/CHANGELOG-8.1.5 --- trafficserver-8.1.5+ds/CHANGELOG-8.1.5 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/CHANGELOG-8.1.5 2022-12-14 17:03:30.000000000 +0000 @@ -1,5 +1,5 @@ Changes with Apache Traffic Server 8.1.5 - #8880 - 8.1.x Backport: Move has_request_body to ProxyTransaction (#7499) + #8880 - 8.1.x Backport: Move has_request_body to ProxyTransaction (#7499) #8910 - Pin Jinja2 for doc builds (#8773) #8912 - uri_signing plugin: Fix missing payload validation for the iss field (#8901) #9007 - 8.1.x: Add back scheme validation 81x diff -Nru trafficserver-8.1.5+ds/CHANGELOG-8.1.6 trafficserver-8.1.6+ds/CHANGELOG-8.1.6 --- trafficserver-8.1.5+ds/CHANGELOG-8.1.6 1970-01-01 00:00:00.000000000 +0000 +++ trafficserver-8.1.6+ds/CHANGELOG-8.1.6 2022-12-14 17:03:30.000000000 +0000 @@ -0,0 +1,3 @@ +Changes with Apache Traffic Server 8.1.6 + #9241 - drain request body on cache noop action + #9247 - [8.1.x] authproxy: Handle WRITE_READY event diff -Nru trafficserver-8.1.5+ds/configure trafficserver-8.1.6+ds/configure --- trafficserver-8.1.5+ds/configure 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/configure 2022-12-14 17:03:30.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Apache Traffic Server 8.1.5. +# Generated by GNU Autoconf 2.69 for Apache Traffic Server 8.1.6. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='Apache Traffic Server' PACKAGE_TARNAME='trafficserver' -PACKAGE_VERSION='8.1.5' -PACKAGE_STRING='Apache Traffic Server 8.1.5' +PACKAGE_VERSION='8.1.6' +PACKAGE_STRING='Apache Traffic Server 8.1.6' PACKAGE_BUGREPORT='dev@trafficserver.apache.org' PACKAGE_URL='http://trafficserver.apache.org' @@ -1673,7 +1673,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Apache Traffic Server 8.1.5 to adapt to many kinds of systems. +\`configure' configures Apache Traffic Server 8.1.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1744,7 +1744,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Apache Traffic Server 8.1.5:";; + short | recursive ) echo "Configuration of Apache Traffic Server 8.1.6:";; esac cat <<\_ACEOF @@ -1985,7 +1985,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Apache Traffic Server configure 8.1.5 +Apache Traffic Server configure 8.1.6 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2815,7 +2815,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Apache Traffic Server $as_me 8.1.5, which was +It was created by Apache Traffic Server $as_me 8.1.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3684,7 +3684,7 @@ # Define the identity of the package. PACKAGE='trafficserver' - VERSION='8.1.5' + VERSION='8.1.6' cat >>confdefs.h <<_ACEOF @@ -3972,13 +3972,13 @@ # convention that attempts to solve problems that most people just # don't have and which just causes confusion for most end users. # -TS_VERSION_MAJOR=$((8001005 / 1000000 )) -TS_VERSION_MINOR=$(((8001005 / 1000) % 1000 )) -TS_VERSION_MICRO=$((8001005 % 1000 )) +TS_VERSION_MAJOR=$((8001006 / 1000000 )) +TS_VERSION_MINOR=$(((8001006 / 1000) % 1000 )) +TS_VERSION_MICRO=$((8001006 % 1000 )) TS_LIBTOOL_MAJOR=`echo $((${TS_VERSION_MAJOR} + ${TS_VERSION_MINOR}))` TS_LIBTOOL_VERSION=$TS_LIBTOOL_MAJOR:$TS_VERSION_MICRO:$TS_VERSION_MINOR -TS_VERSION_STRING=8.1.5 -TS_VERSION_NUMBER=8001005 +TS_VERSION_STRING=8.1.6 +TS_VERSION_NUMBER=8001006 # # Substitute the above version numbers into the various files below. @@ -30809,7 +30809,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Apache Traffic Server $as_me 8.1.5, which was +This file was extended by Apache Traffic Server $as_me 8.1.6, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30876,7 +30876,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Apache Traffic Server config.status 8.1.5 +Apache Traffic Server config.status 8.1.6 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru trafficserver-8.1.5+ds/configure.ac trafficserver-8.1.6+ds/configure.ac --- trafficserver-8.1.5+ds/configure.ac 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/configure.ac 2022-12-14 17:03:30.000000000 +0000 @@ -32,8 +32,8 @@ # Version number is calculated as MAJOR * 1000000 + MINOR * 1000 + MICRO # Version string is in the form of MAJOR.MINOR.MICRO[sufix] # -m4_define([TS_VERSION_S],[8.1.5]) -m4_define([TS_VERSION_N],[8001005]) +m4_define([TS_VERSION_S],[8.1.6]) +m4_define([TS_VERSION_N],[8001006]) AC_INIT([Apache Traffic Server], TS_VERSION_S(), [dev@trafficserver.apache.org], [trafficserver],[http://trafficserver.apache.org]) AC_PREREQ([2.59]) diff -Nru trafficserver-8.1.5+ds/debian/changelog trafficserver-8.1.6+ds/debian/changelog --- trafficserver-8.1.5+ds/debian/changelog 2022-08-12 07:16:08.000000000 +0000 +++ trafficserver-8.1.6+ds/debian/changelog 2023-01-04 08:22:58.000000000 +0000 @@ -1,3 +1,13 @@ +trafficserver (8.1.6+ds-1~deb11u1) bullseye-security; urgency=high + + * Update d/u/signing-key for 8.1.x serie + * New upstream version 8.1.6+ds + * Multiple CVE fixes for 8.1.x + + CVE-2022-32749: Improper Check for Unusual or Exceptional Conditions vulnerability + + CVE-2022-37392: Improper Check for Unusual or Exceptional Conditions vulnerability + + -- Jean Baptiste Favre Wed, 04 Jan 2023 09:22:58 +0100 + trafficserver (8.1.5+ds-1~deb11u1) bullseye-security; urgency=high * Update d/watch to stick to 8.1.X serie diff -Nru trafficserver-8.1.5+ds/debian/upstream/signing-key.asc trafficserver-8.1.6+ds/debian/upstream/signing-key.asc --- trafficserver-8.1.5+ds/debian/upstream/signing-key.asc 2022-08-12 07:16:08.000000000 +0000 +++ trafficserver-8.1.6+ds/debian/upstream/signing-key.asc 2023-01-04 08:05:53.000000000 +0000 @@ -164,3 +164,39 @@ OOTn8EiyYEnUd8hRk6q79qcgwyB6tdpsym/X6XA= =L+Pn -----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFrfXOQBCADWH9KDvX6DbxbXMMzgLEGVYKikpV7JnOKTMFGfw1wN2+y67f0u +87QSddKMqhHwINEMt7uzx308xiJYACJHGlQWT900D+D8HS1jUc7tGnnrATzFSePM +oNXJWDQmGYn1WKVY91mQraXKrbKuw2CjhXLfaLc9xKq0/8bjcv5hDu71xRtwe7Tp +A+6kPtyWqMjCEgzNQpKSP0hgEpmQvWq+K9ztJqZDn9giaclwLMXICHLwuL9V2miF +xZwI1v5xQPpngzIMY84vpinIVVhKtx75jkAJhJ9fDRQT/jQ1q+iyyaCGtZKhboRJ +Hsr4b20wbTLgWPxJevRvTRzr1Cem/scmoJSfABEBAAG0K0V2YW4gWmVsa293aXR6 +IDxldmFuX3plbGtvd2l0ekBjb21jYXN0LmNvbT6JAU4EEwEIADgCGwMFCwkIBwIG +FQoJCAsCBBYCAwECHgECF4AWIQRzFEqoOxCpewTB6YMVrWLpQBBOlgUCXGsuWQAK +CRAVrWLpQBBOlm86B/4jKArv5ennU5xTnsNFLV9CPLHYbf8rd+a7Lnahi96RpqtK +2YYGAYV/E6LvyHkFJm3nTGgbp27GSWKlPm5rGbEmtMSn8jk/RzlcEkU4DHWjuvqI +Xf0Vz5lXMOwcNHyIJpeadwrrWVUBP9Oy1ZUtg9am4aE26/YUqAdOaXVZPaqNuKJx +u7R8oXHr9PCKRs4/jb/XqeZmf84hgaoILSDKu/lTk6G1hKcHSreWVd+X5TR+ikOa +6DlfvOZ9ZO+Btwm/UypxRxJfx2WHQK3D/qDnlf1EBXcDOdbWSlGphcl4NkNrs+AT +3Go4y2acTJhu7Z5x6fW4A5oI0AlzcjzdVS79aM1juQINBFzdnvYBEADp9RpqKDC3 +otvOJpCG4P1XVNwiRkc2UsIgm1PvrqLVVK2/g5tJRthuonmFMC7YxH0Z1UYlgekD +291hCV5X78o9ThBvVbL67gp+GECRQmpY1jxgrqloPtZ0r6PN5QeOrKZ8orqdh9Ys +fX6zn+QNF6pyaE5Z0JMs3rXk6GLBilwQXRlFzRX3imi6fpmj+S9dIy5SQUvG0e5W +wiNKCu+zlHzZqtBskQNCkDdXfmolMxJ1lEUxBu9kigau+zg/R4veoL0U02hwLh4l +JjeEOOGXr+t3mosPQkNCthmb+CHmuLiovm35e6v9LzVuvR+pke/aQlxCJU3ulroq +m2sjhwhLjnxlTFcCuc6NJ22O81nW9Sl9dA8ShyXay+FUpIrP0CY5NFMBxtRTUG1T +1iAVL1yb1igvDM0EB5lDsd6f41HlGjUDKkL7skPiALTSzAuJsL1F/x+jZxB1mSeD +Hs4ephSaDPaiUbDSefpeYLaQ+JFei8Z75OWA6kMjHIbFwB8G0BGk0jQfTwNXl4Zu +iSNYzwWp9rByhX6oqQ/8ddW1IJ3oHJ9mzDl1JIX7L5UHYYtYzj5UIEl68l3Hb4Ko +PAArzBgosLvrCnCkCTiWbRQnmmTIVPxHADsqMJbkFuLLL1wnOItC2eWu/+yd2vcV +hhyqxGfPzrlHPuc0l3Cno6K7YEZE4KKlPQARAQABiQE2BBgBCAAgFiEEcxRKqDsQ +qXsEwemDFa1i6UAQTpYFAlzdnvYCGwwACgkQFa1i6UAQTpb37AgAyDuEfcduK0dH +0SjUoJqSJ6dOkwOuF0T+IKYi5ixDflOxJGDnZdOc8NeTCdylZxuE33DGWHyIk74w +Ituq3bzogkarYrxQBBmH49aGROy5l7kERDWeWQEujCPsREsntK5wYTMyhSap6g+f +pbe6xVMs+bVxBWusBSJcu/VYlJTqgd/3nP9DtFCPzBM791GJ1ghITrLaLvm2uvAa +KPxRnXZ07d2CDvfhqGrBam9nGQJ75owfcHxhdQGV25ftJjfJbM04JfhcS4j20V+i +DUxN7dqtHLuFd7d3btOZiuGI3EOBWxePbRPh2/Ip9mVqzGp5CVRU0pfx22o4DRIS +tVtp6zI6yA== +=x5Qr +-----END PGP PUBLIC KEY BLOCK----- diff -Nru trafficserver-8.1.5+ds/plugins/authproxy/authproxy.cc trafficserver-8.1.6+ds/plugins/authproxy/authproxy.cc --- trafficserver-8.1.5+ds/plugins/authproxy/authproxy.cc 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/plugins/authproxy/authproxy.cc 2022-12-14 17:03:30.000000000 +0000 @@ -82,6 +82,7 @@ }; static TSEvent StateAuthProxyConnect(AuthRequestContext *, void *); +static TSEvent StateAuthProxyWriteReady(AuthRequestContext *, void *); static TSEvent StateAuthProxyWriteComplete(AuthRequestContext *, void *); static TSEvent StateUnauthorized(AuthRequestContext *, void *); static TSEvent StateAuthorized(AuthRequestContext *, void *); @@ -129,6 +130,7 @@ // State table for sending the request to the auth proxy. static const StateTransition StateTableProxyRequest[] = { + {TS_EVENT_VCONN_WRITE_READY, StateAuthProxyWriteReady, StateTableProxyRequest}, {TS_EVENT_VCONN_WRITE_COMPLETE, StateAuthProxyWriteComplete, StateTableProxyReadHeader}, {TS_EVENT_ERROR, StateUnauthorized, nullptr}, {TS_EVENT_NONE, nullptr, nullptr}}; @@ -544,6 +546,13 @@ } static TSEvent +StateAuthProxyWriteReady(AuthRequestContext *auth, void * /* edata ATS_UNUSED */) +{ + TSVConnWrite(auth->vconn, auth->cont, auth->iobuf.reader, TSIOBufferReaderAvail(auth->iobuf.reader)); + return TS_EVENT_CONTINUE; +} + +static TSEvent StateAuthProxyWriteComplete(AuthRequestContext *auth, void * /* edata ATS_UNUSED */) { // We finished writing the auth proxy request. Kick off a read to get the response. diff -Nru trafficserver-8.1.5+ds/proxy/http/HttpSM.cc trafficserver-8.1.6+ds/proxy/http/HttpSM.cc --- trafficserver-8.1.5+ds/proxy/http/HttpSM.cc 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/proxy/http/HttpSM.cc 2022-12-14 17:03:30.000000000 +0000 @@ -7499,6 +7499,9 @@ if (server_entry != nullptr && server_entry->in_tunnel == false) { release_server_session(); } + + do_drain_request_body(); + // If we're in state SEND_API_RESPONSE_HDR, it means functions // registered to hook SEND_RESPONSE_HDR have already been called. So we do not // need to call do_api_callout. Otherwise TS loops infinitely in this state ! diff -Nru trafficserver-8.1.5+ds/tools/package/trafficserver.spec trafficserver-8.1.6+ds/tools/package/trafficserver.spec --- trafficserver-8.1.5+ds/tools/package/trafficserver.spec 2022-08-09 13:57:23.000000000 +0000 +++ trafficserver-8.1.6+ds/tools/package/trafficserver.spec 2022-12-14 17:03:30.000000000 +0000 @@ -26,7 +26,7 @@ Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache Name: trafficserver -Version: 8.1.5 +Version: 8.1.6 Release: %{release}%{?dist} License: Apache Software License 2.0 (AL2) Group: System Environment/Daemons