--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-babfbc2622
2022-11-23 01:19:08.440331
--------------------------------------------------------------------------------
Name : varnish
Product : Fedora 36
Version : 7.0.3
Release : 2.fc36
URL :
https://www.varnish-cache.org/
Summary : High-performance HTTP accelerator
Description :
This is Varnish Cache, a high-performance HTTP accelerator.
Varnish Cache stores web pages in memory so web servers don���t have to
create the same web page over and over again. Varnish Cache serves
pages much faster than any application server; giving the website a
significant speed up.
Documentation wiki and additional information about Varnish Cache is
available on:
https://www.varnish-cache.org/
--------------------------------------------------------------------------------
Update Information:
This release includes fix for CVE-2022-45059 (VSV00010) and CVE-2022-45060
(VSV00011). From the upstream release notes: VSV00010 Varnish Request Smuggling
Vulnerability Date: 2022-11-08 A request smuggling attack can be performed on
Varnish Cache servers by requesting that certain headers are made hop-by-hop,
preventing the Varnish Cache servers from forwarding critical headers to the
backend. Among the headers that can be filtered this way are both Content-Length
and Host, making it possible for an attacker to both break the HTTP/1 protocol
framing, and bypass request to host routing in VCL. VSV00011 Varnish HTTP/2
Request Forgery Vulnerability Date: 2022-11-08 A request forgery attack can be
performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An
attacker may introduce characters through the HTTP/2 pseudo-headers that are
invalid in the context of an HTTP/1 request line, causing the Varnish server to
produce invalid HTTP/1 requests to the backend. This may in turn be used to
successfully exploit vulnerabilities in a server behind the Varnish server.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Nov 14 2022 Ingvar Hagelund <ingvar(a)redpill-linpro.com> - 7.0.3-2
- Picked upstream patches from 7.1 branch
- Fixes CVE-2022-45059 aka VSV00010, rhbz#2141842
- Fixes CVE-2022-45060 aka VSV00011, rhbz#2141847
- Removed references to patches no longer needed
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2141842 - CVE-2022-45059 varnish: Request Smuggling Vulnerability
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2141842
[ 2 ] Bug #2141847 - CVE-2022-45060 varnish: Request Forgery Vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2141847
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-babfbc2622' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------