CVE-2021-44040

NameCVE-2021-44040
DescriptionImproper Input Validation vulnerability in request line parsing of Apache Traffic Server allows an attacker to send invalid requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.3 and 9.0.0 to 9.1.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5153-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
trafficserver (PTS)buster8.0.2+ds-1+deb10u6fixed
buster (security)8.1.7-0+deb10u3fixed
bullseye8.1.9+ds-1~deb11u1fixed
bullseye (security)8.1.10+ds-1~deb11u1fixed
bookworm9.2.3+ds-1+deb12u1fixed
bookworm (security)9.2.4+ds-0+deb12u1fixed
sid9.2.4+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
trafficserversourcebuster8.0.2+ds-1+deb10u6DSA-5153-1
trafficserversourcebullseye8.1.1+ds-1.1+deb11u1DSA-5153-1
trafficserversource(unstable)9.1.2+ds-1

Notes

https://lists.apache.org/thread/zblwzcfs9ryhwjr89wz4osw55pxm6dx6
https://github.com/apache/trafficserver/commit/85c319a7f7c0537bee408ea25df6f1a5ed0a4071
https://github.com/apache/trafficserver/commit/c4e6661a5a205b1f60279f0e66aa496023185967
https://github.com/apache/trafficserver/commit/8c6f2ed84ba0d8e6255baceb99ee891ebe1ce473
Search for package or bug name: Reporting problems