Version in base suite: 8.1.6+ds-1~deb11u1 Base version: trafficserver_8.1.6+ds-1~deb11u1 Target version: trafficserver_8.1.7+ds-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/trafficserver/trafficserver_8.1.6+ds-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/trafficserver/trafficserver_8.1.7+ds-1~deb11u1.dsc CHANGELOG-8.1.7 | 4 ++ configs/ip_allow.config.default | 4 +- configure | 30 +++++++++---------- configure.ac | 4 +- debian/changelog | 10 ++++++ doc/admin-guide/files/ip_allow.config.en.rst | 12 +++---- plugins/s3_auth/aws_auth_v4.cc | 5 +++ plugins/s3_auth/aws_auth_v4.h | 1 plugins/s3_auth/aws_auth_v4_wrap.h | 5 +++ plugins/s3_auth/unit_tests/test_aws_auth_v4.cc | 14 ++++++++ plugins/s3_auth/unit_tests/test_aws_auth_v4.h | 7 ++++ proxy/http/HttpSM.cc | 7 ++++ tests/gold_tests/autest-site/min_cfg/ip_allow.config | 4 +- tools/package/trafficserver.spec | 2 - 14 files changed, 81 insertions(+), 28 deletions(-) diff -Nru trafficserver-8.1.6+ds/CHANGELOG-8.1.7 trafficserver-8.1.7+ds/CHANGELOG-8.1.7 --- trafficserver-8.1.6+ds/CHANGELOG-8.1.7 1970-01-01 00:00:00.000000000 +0000 +++ trafficserver-8.1.7+ds/CHANGELOG-8.1.7 2023-06-06 22:18:29.000000000 +0000 @@ -0,0 +1,4 @@ +Changes with Apache Traffic Server 8.1.7 + #9780 - s3_auth: Fix hash calculation + #9787 - 8.1.x: Add back push_method_enabled enforcement + #9789 - 8.1.x: Deny the TRACE method by default diff -Nru trafficserver-8.1.6+ds/configs/ip_allow.config.default trafficserver-8.1.7+ds/configs/ip_allow.config.default --- trafficserver-8.1.6+ds/configs/ip_allow.config.default 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/configs/ip_allow.config.default 2023-06-06 22:18:29.000000000 +0000 @@ -23,5 +23,5 @@ src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all) -src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE -src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE +src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE +src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE diff -Nru trafficserver-8.1.6+ds/configure trafficserver-8.1.7+ds/configure --- trafficserver-8.1.6+ds/configure 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/configure 2023-06-06 22:18:29.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Apache Traffic Server 8.1.6. +# Generated by GNU Autoconf 2.69 for Apache Traffic Server 8.1.7. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='Apache Traffic Server' PACKAGE_TARNAME='trafficserver' -PACKAGE_VERSION='8.1.6' -PACKAGE_STRING='Apache Traffic Server 8.1.6' +PACKAGE_VERSION='8.1.7' +PACKAGE_STRING='Apache Traffic Server 8.1.7' PACKAGE_BUGREPORT='dev@trafficserver.apache.org' PACKAGE_URL='http://trafficserver.apache.org' @@ -1673,7 +1673,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Apache Traffic Server 8.1.6 to adapt to many kinds of systems. +\`configure' configures Apache Traffic Server 8.1.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1744,7 +1744,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Apache Traffic Server 8.1.6:";; + short | recursive ) echo "Configuration of Apache Traffic Server 8.1.7:";; esac cat <<\_ACEOF @@ -1985,7 +1985,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Apache Traffic Server configure 8.1.6 +Apache Traffic Server configure 8.1.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2815,7 +2815,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Apache Traffic Server $as_me 8.1.6, which was +It was created by Apache Traffic Server $as_me 8.1.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3684,7 +3684,7 @@ # Define the identity of the package. PACKAGE='trafficserver' - VERSION='8.1.6' + VERSION='8.1.7' cat >>confdefs.h <<_ACEOF @@ -3972,13 +3972,13 @@ # convention that attempts to solve problems that most people just # don't have and which just causes confusion for most end users. # -TS_VERSION_MAJOR=$((8001006 / 1000000 )) -TS_VERSION_MINOR=$(((8001006 / 1000) % 1000 )) -TS_VERSION_MICRO=$((8001006 % 1000 )) +TS_VERSION_MAJOR=$((8001007 / 1000000 )) +TS_VERSION_MINOR=$(((8001007 / 1000) % 1000 )) +TS_VERSION_MICRO=$((8001007 % 1000 )) TS_LIBTOOL_MAJOR=`echo $((${TS_VERSION_MAJOR} + ${TS_VERSION_MINOR}))` TS_LIBTOOL_VERSION=$TS_LIBTOOL_MAJOR:$TS_VERSION_MICRO:$TS_VERSION_MINOR -TS_VERSION_STRING=8.1.6 -TS_VERSION_NUMBER=8001006 +TS_VERSION_STRING=8.1.7 +TS_VERSION_NUMBER=8001007 # # Substitute the above version numbers into the various files below. @@ -30809,7 +30809,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Apache Traffic Server $as_me 8.1.6, which was +This file was extended by Apache Traffic Server $as_me 8.1.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30876,7 +30876,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Apache Traffic Server config.status 8.1.6 +Apache Traffic Server config.status 8.1.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru trafficserver-8.1.6+ds/configure.ac trafficserver-8.1.7+ds/configure.ac --- trafficserver-8.1.6+ds/configure.ac 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/configure.ac 2023-06-06 22:18:29.000000000 +0000 @@ -32,8 +32,8 @@ # Version number is calculated as MAJOR * 1000000 + MINOR * 1000 + MICRO # Version string is in the form of MAJOR.MINOR.MICRO[sufix] # -m4_define([TS_VERSION_S],[8.1.6]) -m4_define([TS_VERSION_N],[8001006]) +m4_define([TS_VERSION_S],[8.1.7]) +m4_define([TS_VERSION_N],[8001007]) AC_INIT([Apache Traffic Server], TS_VERSION_S(), [dev@trafficserver.apache.org], [trafficserver],[http://trafficserver.apache.org]) AC_PREREQ([2.59]) diff -Nru trafficserver-8.1.6+ds/debian/changelog trafficserver-8.1.7+ds/debian/changelog --- trafficserver-8.1.6+ds/debian/changelog 2023-01-04 08:22:58.000000000 +0000 +++ trafficserver-8.1.7+ds/debian/changelog 2023-06-21 09:16:56.000000000 +0000 @@ -1,3 +1,13 @@ +trafficserver (8.1.7+ds-1~deb11u1) bullseye-security; urgency=high + + * New upstream version 8.1.7+ds + * Multiple CVE fixes for 8.1.x (Closes: #1038248) + + CVE-2022-47184: Exposure of Sensitive Information to an Unauthorized Actor vulnerability + + CVE-2023-30631: Improper Input Validation vulnerability + + CVE-2023-33933: Exposure of Sensitive Information to an Unauthorized Actor vulnerability + + -- Jean Baptiste Favre Wed, 21 Jun 2023 11:16:56 +0200 + trafficserver (8.1.6+ds-1~deb11u1) bullseye-security; urgency=high * Update d/u/signing-key for 8.1.x serie diff -Nru trafficserver-8.1.6+ds/doc/admin-guide/files/ip_allow.config.en.rst trafficserver-8.1.7+ds/doc/admin-guide/files/ip_allow.config.en.rst --- trafficserver-8.1.6+ds/doc/admin-guide/files/ip_allow.config.en.rst 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/doc/admin-guide/files/ip_allow.config.en.rst 2023-06-06 22:18:29.000000000 +0000 @@ -70,20 +70,20 @@ to |TS|. The ``dst_ip`` rules are checked when |TS| connects to another host. By default the :file:`ip_allow.config` file contains the following lines, which allows all methods -to connections from localhost and denies the ``PUSH``, ``PURGE`` and ``DELETE`` methods to all other -IP addresses (note this allows all other methods to all IP addresses):: +to connections from localhost and denies the ``PUSH``, ``PURGE``, ``DELETE`` and ``TRACE`` methods +to all other IP addresses (note this allows all other methods to all IP addresses):: src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL - src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE - src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE + src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE + src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE This could also be specified as:: src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL - src_ip=0/0 action=ip_deny method=PUSH|PURGE|DELETE - src_ip=::/0 action=ip_deny method=PUSH|PURGE|DELETE + src_ip=0/0 action=ip_deny method=PUSH|PURGE|DELETE|TRACE + src_ip=::/0 action=ip_deny method=PUSH|PURGE|DELETE|TRACE Examples ======== diff -Nru trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4.cc trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4.cc --- trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4.cc 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4.cc 2023-06-06 22:18:29.000000000 +0000 @@ -303,6 +303,11 @@ str = api.getPath(&length); String path("/"); path.append(str, length); + str = api.getParams(&length); + if (length > 0) { + path.append(";", 1); + path.append(str, length); + } String canonicalUri = canonicalEncode(path, /* isObjectName */ true); sha256Update(&canonicalRequestSha256Ctx, canonicalUri); sha256Update(&canonicalRequestSha256Ctx, "\n"); diff -Nru trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4.h trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4.h --- trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4.h 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4.h 2023-06-06 22:18:29.000000000 +0000 @@ -47,6 +47,7 @@ virtual const char *getMethod(int *length) = 0; virtual const char *getHost(int *length) = 0; virtual const char *getPath(int *length) = 0; + virtual const char *getParams(int *length) = 0; virtual const char *getQuery(int *length) = 0; virtual HeaderIterator headerBegin() = 0; virtual HeaderIterator headerEnd() = 0; diff -Nru trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4_wrap.h trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4_wrap.h --- trafficserver-8.1.6+ds/plugins/s3_auth/aws_auth_v4_wrap.h 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/plugins/s3_auth/aws_auth_v4_wrap.h 2023-06-06 22:18:29.000000000 +0000 @@ -108,6 +108,11 @@ return TSUrlPathGet(_bufp, _url, len); } const char * + getParams(int *len) override + { + return TSUrlHttpParamsGet(_bufp, _url, len); + } + const char * getQuery(int *len) override { return TSUrlHttpQueryGet(_bufp, _url, len); diff -Nru trafficserver-8.1.6+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc trafficserver-8.1.7+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc --- trafficserver-8.1.6+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.cc 2023-06-06 22:18:29.000000000 +0000 @@ -404,6 +404,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign("test.txt"); + api._params.assign(""); api._query.assign(""); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Range", "bytes=0-9")); @@ -449,6 +450,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("lifecycle"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")); @@ -493,6 +495,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("x-amz-content-sha256", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")); @@ -584,6 +587,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); @@ -633,6 +637,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign("PATH=="); + api._params.assign(""); api._query.assign("key=TEST=="); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); @@ -679,6 +684,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -743,6 +749,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -777,6 +784,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -847,6 +855,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -881,6 +890,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -916,6 +926,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -951,6 +962,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -989,6 +1001,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("Content-Type", "gzip")); @@ -1022,6 +1035,7 @@ api._method.assign("GET"); api._host.assign("examplebucket.s3.amazonaws.com"); api._path.assign(""); + api._params.assign(""); api._query.assign("max-keys=2&prefix=J"); api._headers.insert(std::make_pair("Host", "examplebucket.s3.amazonaws.com")); api._headers.insert(std::make_pair("x-amz-content-sha256", "UNSIGNED-PAYLOAD")); diff -Nru trafficserver-8.1.6+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.h trafficserver-8.1.7+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.h --- trafficserver-8.1.6+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.h 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/plugins/s3_auth/unit_tests/test_aws_auth_v4.h 2023-06-06 22:18:29.000000000 +0000 @@ -95,6 +95,12 @@ return _path.c_str(); } const char * + getParams(int *length) + { + *length = _params.length(); + return _params.c_str(); + } + const char * getQuery(int *length) { *length = _query.length(); @@ -114,6 +120,7 @@ String _method; String _host; String _path; + String _params; String _query; HeaderMultiMap _headers; }; diff -Nru trafficserver-8.1.6+ds/proxy/http/HttpSM.cc trafficserver-8.1.7+ds/proxy/http/HttpSM.cc --- trafficserver-8.1.6+ds/proxy/http/HttpSM.cc 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/proxy/http/HttpSM.cc 2023-06-06 22:18:29.000000000 +0000 @@ -773,6 +773,13 @@ } } + if (t_state.hdr_info.client_request.method_get_wksidx() == HTTP_WKSIDX_PUSH && + t_state.http_config_param->push_method_enabled == 0) { + SMDebug("http", "Rejecting PUSH request because push_method_enabled is 0."); + call_transact_and_set_next_state(HttpTransact::Forbidden); + return 0; + } + if (t_state.hdr_info.client_request.method_get_wksidx() == HTTP_WKSIDX_TRACE || (t_state.hdr_info.client_request.get_content_length() == 0 && t_state.client_info.transfer_encoding != HttpTransact::CHUNKED_ENCODING)) { diff -Nru trafficserver-8.1.6+ds/tests/gold_tests/autest-site/min_cfg/ip_allow.config trafficserver-8.1.7+ds/tests/gold_tests/autest-site/min_cfg/ip_allow.config --- trafficserver-8.1.6+ds/tests/gold_tests/autest-site/min_cfg/ip_allow.config 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/tests/gold_tests/autest-site/min_cfg/ip_allow.config 2023-06-06 22:18:29.000000000 +0000 @@ -1,4 +1,4 @@ src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL -src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE -src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE \ No newline at end of file +src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE|TRACE +src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE|TRACE diff -Nru trafficserver-8.1.6+ds/tools/package/trafficserver.spec trafficserver-8.1.7+ds/tools/package/trafficserver.spec --- trafficserver-8.1.6+ds/tools/package/trafficserver.spec 2022-12-14 17:03:30.000000000 +0000 +++ trafficserver-8.1.7+ds/tools/package/trafficserver.spec 2023-06-06 22:18:29.000000000 +0000 @@ -26,7 +26,7 @@ Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache Name: trafficserver -Version: 8.1.6 +Version: 8.1.7 Release: %{release}%{?dist} License: Apache Software License 2.0 (AL2) Group: System Environment/Daemons