Page MenuHomePhabricator
Create Task
Maniphest T285535

Backport ATS 8.1.2 security fixes to our in-house ATS 8.0.8
Closed, ResolvedPublicSecurity
Actions

Description

Per https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E ATS 8.1 ships the following security fixes:

CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin

Sadly we don't have a clear upgrade path from our current ATS 8.0.8 to ATS 8.1.2 as the last time we tried an ATS 8.1 build we observed serious performance drawbacks on ATS backend

Details

Author Affiliation
WMF Technology Dept
ProjectBranchLines +/-Subject
operations/debs/trafficservermaster+176 -4Release 8.0.8-1wm4
Customize query in gerrit

Event Timeline

Vgutierrez created this task.Jun 25 2021, 9:11 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 25 2021, 9:11 AM
Vgutierrez triaged this task as High priority.Jun 25 2021, 9:12 AM
Vgutierrez edited projects, added Traffic, SRE; removed Security-Team.
Vgutierrez closed this task as Resolved.Jun 28 2021, 10:34 AM
Vgutierrez claimed this task.

All cp servers are now running ATS 8.0.8-1wm4:

===== NODE GROUP =====                                                                                                                                                            
(76) cp[2027-2042].codfw.wmnet,cp[1075-1090].eqiad.wmnet,cp[5001-5016].eqsin.wmnet,cp[3050-3065].esams.wmnet,cp[4021-4032].ulsfo.wmnet                                            
----- OUTPUT of 'apt-cache policy...r|grep Installed' -----                                                                                                                       
  Installed: 8.0.8-1wm4
ema changed the edit policy from "Custom Policy" to "All Users".Jun 28 2021, 11:31 AM
ema changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL