Need advice on varnish in stable (f12, f11, epel5, epel4)

Kevin Fenzi kevin at tummy.com
Wed Apr 21 20:46:20 UTC 2010 

On Tue, 20 Apr 2010 23:48:24 +0200 (CEST)
Ingvar Hagelund <ingvar at redpill-linpro.com> wrote:

> Varnish is an http accellerator.
> 
> I recently requested an update for varnish-2.1.0 in f13 an rawhide. I
> hope it will be accepted for f13, as it contains a fix for
> CVE-2009-2936 (bz #579536, #579533).

Yes, it should be. Just make sure it gets enough karma or you push it
to stable directly. 

> CVE-2009-2936 states that it is a security problem that local users
> on a system running varnish have anonymously access to the varnish
> administration console (telnet interface), which, given enough
> varnish clue, is effectively giving them local root access.
> varnish-2.1.0 fixes this by adding password authentication to the
> administration console. This password fix will probably not be
> backported to the 2.0 series.
> 
> f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration
> interface has changed a bit from the 2.0 to the 2.1 series. The
> change is not large, but a lot of users will have to change a
> configuration line or ten to be able to upgrade. This means that
> automatic upgrade is not possible, and according to the rules, we
> will thus have to stay with 2.0.x for these "old" stable releases (at
> least until some major security problem arises). Upstream will
> continue maintenance of the 2.0 series for at least some 6 months
> more, I guess.
> 
> I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old"
> stable releases of fedora and epel, breaking existing configurations,
> or, (2) submit an update with the administration console switched off
> by default, possibly breaking automated scripts using it via nc or
> varnishadm.

1 may be acceptable for Fedora, but I would personally not recommend
it. For EPEL 1 is forbidden. ;( 

So, I would think 2 would be the better of the two. 

Can you backport the password functionality to the 2.0 series?
Or find someone interested in doing so?

> I may also ignore the case. Upstream disputes the seriousness of this
> "bug".

Thats up to you as well depending on what you think the impact is. 

> I would like an advice on this from the security team, please.

This list is pretty dead, so not sure what if any other replies you
will get. :( 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/security/attachments/20100421/b1327b7e/attachment.bin

More information about the security mailing list