{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"trafficserver security update", "category":"general", "title":"Synopsis" }, { "text":"An update for trafficserver is now available for openEuler-24.03-LTS-SP2", "category":"general", "title":"Summary" }, { "text":"Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse,\nforward and transparent proxy and cache.\n\nSecurity Fix(es):\n\nApache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States.\n Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol.(CVE-2025-31698)\n\nESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.(CVE-2025-49763)", "category":"general", "title":"Description" }, { "text":"An update for trafficserver is now available for master/openEuler-20.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"trafficserver", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1904", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904" }, { "summary":"CVE-2025-31698", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-31698&packageName=trafficserver" }, { "summary":"CVE-2025-49763", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-49763&packageName=trafficserver" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31698" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49763" }, { "summary":"openEuler-SA-2025-1904 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1904.json" } ], "title":"An update for trafficserver is now available for openEuler-24.03-LTS-SP2", "tracking":{ "initial_release_date":"2025-07-26T09:31:06+08:00", "revision_history":[ { "date":"2025-07-26T09:31:06+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-07-26T09:31:06+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-07-26T09:31:06+08:00", "id":"openEuler-SA-2025-1904", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"openEuler-24.03-LTS-SP2", "name":"openEuler-24.03-LTS-SP2" }, "name":"openEuler-24.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm", "name":"trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm" }, "name":"trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm", "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm" }, "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm", "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm" }, "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm", "name":"trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm" }, "name":"trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm", "name":"trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm" }, "name":"trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-9.2.11-1.oe2403sp2.src.rpm", "name":"trafficserver-9.2.11-1.oe2403sp2.src.rpm" }, "name":"trafficserver-9.2.11-1.oe2403sp2.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm", "name":"trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm" }, "name":"trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm", "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm" }, "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm", "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm" }, "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm", "name":"trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm" }, "name":"trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm", "name":"trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm" }, "name":"trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "name":"trafficserver-9.2.11-1.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "name":"trafficserver-devel-9.2.11-1.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "name":"trafficserver-perl-9.2.11-1.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-9.2.11-1.oe2403sp2.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "name":"trafficserver-9.2.11-1.oe2403sp2.src as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "name":"trafficserver-9.2.11-1.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "name":"trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "name":"trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "name":"trafficserver-devel-9.2.11-1.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64", "name":"trafficserver-perl-9.2.11-1.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-31698", "notes":[ { "text":"Apache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States.\n Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ], "details":"trafficserver security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-31698" }, { "cve":"CVE-2025-49763", "notes":[ { "text":"ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ], "details":"trafficserver security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.src", "openEuler-24.03-LTS-SP2:trafficserver-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-devel-9.2.11-1.oe2403sp2.x86_64", "openEuler-24.03-LTS-SP2:trafficserver-perl-9.2.11-1.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-49763" } ] }