Need advice on varnish in stable (f12, f11, epel5, epel4)

[Ingvar Hagelund]

Varnish is an http accellerator.

I recently requested an update for varnish-2.1.0 in f13 an rawhide. I hope it will be accepted for f13, as it contains a fix for CVE-2009-2936 (bz #579536, #579533).

CVE-2009-2936 states that it is a security problem that local users on a system running varnish have anonymously access to the varnish administration console (telnet interface), which, given enough varnish clue, is effectively giving them local root access. varnish-2.1.0 fixes this by adding password authentication to the administration console. This password fix will probably not be backported to the 2.0 series.

f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration interface has changed a bit from the 2.0 to the 2.1 series. The change is not large, but a lot of users will have to change a configuration line or ten to be able to upgrade. This means that automatic upgrade is not possible, and according to the rules, we will thus have to stay with 2.0.x for these "old" stable releases (at least until some major security problem arises). Upstream will continue maintenance of the 2.0 series for at least some 6 months more, I guess.

I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" stable releases of fedora and epel, breaking existing configurations, or, (2) submit an update with the administration console switched off by default, possibly breaking automated scripts using it via nc or varnishadm.

I may also ignore the case. Upstream disputes the seriousness of this "bug".

I would like an advice on this from the security team, please.

Regards,
Ingvar