An update for trafficserver is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1904 Final 1.0 1.0 2025-07-25 Initial 2025-07-25 2025-07-25 openEuler SA Tool V1.0 2025-07-25 trafficserver security update An update for trafficserver is now available for openEuler-24.03-LTS-SP2 Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache. Security Fix(es): Apache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States. Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol.(CVE-2025-31698) ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.(CVE-2025-49763) An update for trafficserver is now available for master/openEuler-20.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High trafficserver https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-31698 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-49763 https://nvd.nist.gov/vuln/detail/CVE-2025-31698 https://nvd.nist.gov/vuln/detail/CVE-2025-49763 openEuler-24.03-LTS-SP2 trafficserver-9.2.11-1.oe2403sp2.aarch64.rpm trafficserver-debuginfo-9.2.11-1.oe2403sp2.aarch64.rpm trafficserver-debugsource-9.2.11-1.oe2403sp2.aarch64.rpm trafficserver-devel-9.2.11-1.oe2403sp2.aarch64.rpm trafficserver-perl-9.2.11-1.oe2403sp2.aarch64.rpm trafficserver-9.2.11-1.oe2403sp2.src.rpm trafficserver-9.2.11-1.oe2403sp2.x86_64.rpm trafficserver-debuginfo-9.2.11-1.oe2403sp2.x86_64.rpm trafficserver-debugsource-9.2.11-1.oe2403sp2.x86_64.rpm trafficserver-devel-9.2.11-1.oe2403sp2.x86_64.rpm trafficserver-perl-9.2.11-1.oe2403sp2.x86_64.rpm Apache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States. Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol. 2025-07-25 CVE-2025-31698 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N trafficserver security update 2025-07-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904 ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue. 2025-07-25 CVE-2025-49763 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H trafficserver security update 2025-07-25 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1904