Varnish is an http accellerator.
I recently requested an update for varnish-2.1.0 in f13 an rawhide. I hope it will be accepted for f13, as it contains a fix for CVE-2009-2936 (bz #579536, #579533).
CVE-2009-2936 states that it is a security problem that local users on a system running varnish have anonymously access to the varnish administration console (telnet interface), which, given enough varnish clue, is effectively giving them local root access. varnish-2.1.0 fixes this by adding password authentication to the administration console. This password fix will probably not be backported to the 2.0 series.
f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration interface has changed a bit from the 2.0 to the 2.1 series. The change is not large, but a lot of users will have to change a configuration line or ten to be able to upgrade. This means that automatic upgrade is not possible, and according to the rules, we will thus have to stay with 2.0.x for these "old" stable releases (at least until some major security problem arises). Upstream will continue maintenance of the 2.0 series for at least some 6 months more, I guess.
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" stable releases of fedora and epel, breaking existing configurations, or, (2) submit an update with the administration console switched off by default, possibly breaking automated scripts using it via nc or varnishadm.
I may also ignore the case. Upstream disputes the seriousness of this "bug".
I would like an advice on this from the security team, please.
Regards, Ingvar
On Tue, 20 Apr 2010 23:48:24 +0200 (CEST) Ingvar Hagelund ingvar@redpill-linpro.com wrote:
Varnish is an http accellerator.
I recently requested an update for varnish-2.1.0 in f13 an rawhide. I hope it will be accepted for f13, as it contains a fix for CVE-2009-2936 (bz #579536, #579533).
Yes, it should be. Just make sure it gets enough karma or you push it to stable directly.
CVE-2009-2936 states that it is a security problem that local users on a system running varnish have anonymously access to the varnish administration console (telnet interface), which, given enough varnish clue, is effectively giving them local root access. varnish-2.1.0 fixes this by adding password authentication to the administration console. This password fix will probably not be backported to the 2.0 series.
f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration interface has changed a bit from the 2.0 to the 2.1 series. The change is not large, but a lot of users will have to change a configuration line or ten to be able to upgrade. This means that automatic upgrade is not possible, and according to the rules, we will thus have to stay with 2.0.x for these "old" stable releases (at least until some major security problem arises). Upstream will continue maintenance of the 2.0 series for at least some 6 months more, I guess.
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" stable releases of fedora and epel, breaking existing configurations, or, (2) submit an update with the administration console switched off by default, possibly breaking automated scripts using it via nc or varnishadm.
1 may be acceptable for Fedora, but I would personally not recommend it. For EPEL 1 is forbidden. ;(
So, I would think 2 would be the better of the two.
Can you backport the password functionality to the 2.0 series? Or find someone interested in doing so?
I may also ignore the case. Upstream disputes the seriousness of this "bug".
Thats up to you as well depending on what you think the impact is.
I would like an advice on this from the security team, please.
This list is pretty dead, so not sure what if any other replies you will get. :(
kevin
----- "Kevin Fenzi" kevin@tummy.com wrote:
On Tue, 20 Apr 2010 23:48:24 +0200 (CEST) Ingvar Hagelund ingvar@redpill-linpro.com wrote:
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" stable releases of fedora and epel, breaking existing configurations, or, (2) submit an update with the administration console switched off by default, possibly breaking automated scripts using it via nc or varnishadm.
1 may be acceptable for Fedora, but I would personally not recommend it. For EPEL 1 is forbidden. ;(
So, I would think 2 would be the better of the two.
Can you backport the password functionality to the 2.0 series? Or find someone interested in doing so?
I may also ignore the case. Upstream disputes the seriousness of this "bug".
This is probably the wisest solution. This isn't a serious bug, and upstream doesn't consider it a security flaw. I'd say as long as we're good moving forward, we can let the old things be.
Thanks for following up on this.
security@lists.fedoraproject.org