On Tue, 20 Apr 2010 23:48:24 +0200 (CEST)
Ingvar Hagelund <ingvar(a)redpill-linpro.com> wrote:
Varnish is an http accellerator.
I recently requested an update for varnish-2.1.0 in f13 an rawhide. I
hope it will be accepted for f13, as it contains a fix for
CVE-2009-2936 (bz #579536, #579533).
Yes, it should be. Just make sure it gets enough karma or you push it
to stable directly.
CVE-2009-2936 states that it is a security problem that local users
on a system running varnish have anonymously access to the varnish
administration console (telnet interface), which, given enough
varnish clue, is effectively giving them local root access.
varnish-2.1.0 fixes this by adding password authentication to the
administration console. This password fix will probably not be
backported to the 2.0 series.
f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration
interface has changed a bit from the 2.0 to the 2.1 series. The
change is not large, but a lot of users will have to change a
configuration line or ten to be able to upgrade. This means that
automatic upgrade is not possible, and according to the rules, we
will thus have to stay with 2.0.x for these "old" stable releases (at
least until some major security problem arises). Upstream will
continue maintenance of the 2.0 series for at least some 6 months
more, I guess.
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old"
stable releases of fedora and epel, breaking existing configurations,
or, (2) submit an update with the administration console switched off
by default, possibly breaking automated scripts using it via nc or
varnishadm.
1 may be acceptable for Fedora, but I would personally not recommend
it. For EPEL 1 is forbidden. ;(
So, I would think 2 would be the better of the two.
Can you backport the password functionality to the 2.0 series?
Or find someone interested in doing so?
I may also ignore the case. Upstream disputes the seriousness of
this
"bug".
Thats up to you as well depending on what you think the impact is.
I would like an advice on this from the security team, please.
This list is pretty dead, so not sure what if any other replies you
will get. :(
kevin