New critical vulnerability is Apache hackers can leak data access restrictions to obtain sensitive information

Apache Traffic Service (ATS) is the Apache Foundation’s suite of portable HTTP proxy and cache servers in the United States. The Apache Traffic Server is vulnerable to protection.

Attackers may use this loophole to poison the negative cache of the server and circumvent limitations on accessing data to gain confidential information.

Apache Traffic Server has found two bugs, a reverse one, and forward proxy server.

Details:

CVE-2020-17508-17508

The ESI plugin was susceptible to the disclosure of memories.

CVE-2020-17509-17509

The choice for the negative cache was vulnerable to cache poisoning.

These concerns have been resolved in the secure delivery (buster) for

8.0.2+ds-1+deb10u4 update.

We recommend that you update your packages to Trafficserver.

Please refer to the Comprehensive Security Status of Traffic Servers

Page of the protection tracker at:

https:/security-tracker.debian.org/tracker/trafficserver/tracker

these updates to your system and frequently asked questions can be

found at: www.debian.org/security/

This critical bug is patched from 2 days.