{"schema_version":"1.7.2","id":"OESA-2025-1732","modified":"2025-07-04T14:43:41Z","published":"2025-07-04T14:43:41Z","upstream":["CVE-2025-31698","CVE-2025-49763"],"summary":"trafficserver security update","details":"Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse,\nforward and transparent proxy and cache.\r\n\r\nSecurity Fix(es):\n\nApache Traffic Server (ATS) is a set of scalable HTTP proxy and caching servers from the Apache Foundation in the United States.\n Apache Traffic Server (ATS) versions 10.0.0 to 10.0.6 and 9.0.0 to 9.2.10 have access control error vulnerabilities due to the ACL configuration not using the IP address provided by the PROXY protocol.(CVE-2025-31698)\n\nESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted.\n\nUsers can use a new setting for the plugin (--max-inclusion-depth) to limit it.\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10.\n\nUsers are recommended to upgrade to version 9.2.11 or 10.0.6,  which fixes the issue.(CVE-2025-49763)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"trafficserver","purl":"pkg:rpm/openEuler/trafficserver\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.2.11-1.oe2403"}]}],"ecosystem_specific":{"aarch64":["trafficserver-9.2.11-1.oe2403.aarch64.rpm","trafficserver-debuginfo-9.2.11-1.oe2403.aarch64.rpm","trafficserver-debugsource-9.2.11-1.oe2403.aarch64.rpm","trafficserver-devel-9.2.11-1.oe2403.aarch64.rpm","trafficserver-perl-9.2.11-1.oe2403.aarch64.rpm"],"src":["trafficserver-9.2.11-1.oe2403.src.rpm"],"x86_64":["trafficserver-9.2.11-1.oe2403.x86_64.rpm","trafficserver-debuginfo-9.2.11-1.oe2403.x86_64.rpm","trafficserver-debugsource-9.2.11-1.oe2403.x86_64.rpm","trafficserver-devel-9.2.11-1.oe2403.x86_64.rpm","trafficserver-perl-9.2.11-1.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1732"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31698"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49763"}],"database_specific":{"severity":"High"}}