'shamger' and Carlo Cannas discovered that a programming error in Varnish, a state of the art, high-performance web accelerator, may result in disclosure of memory contents or denial of service. An invalid if statement can cause the over-allocation of memory causing a segfault in the application. Reproducible: Didn't try
Fixed in 4.1.9 and forward 5.2.1 and forward Please Update
(In reply to Yury German from comment #1) > Fixed in > 4.1.9 and forward > 5.2.1 and forward > > Please Update Seems that 4.1.0 - 5.2.0 is affected, so in tree, these are still problematic: - 4.1.8 - 5.1.3 (note that <4.1.0 not affected)
(In reply to sam_c (Security Padawan) from comment #2) > (In reply to Yury German from comment #1) > > Fixed in > > 4.1.9 and forward > > 5.2.1 and forward > > > > Please Update > > Seems that 4.1.0 - 5.2.0 is affected, so in tree, these are still > problematic: > - 4.1.8 > - 5.1.3 > > (note that <4.1.0 not affected) yep, I'm just waiting for 5.2.1 to be stabilized on x86.
I checked the site and noticed this bug doesn't cover all the vulnerable versions in tree. I've summarised the versions which need to be culled here, hopefully it's useful -- I needed it at least! - 4.x (it's EOL'd) (remove entirely) -- 4.0.5 (EOL) -- 4.1.8 (affected here) -- 5.1.3 (affected here) - 5.x (it's EOL'd) (remove entirely) -- 5.2.1 (EOL) (affected by VS00004) [0] -- 5.1.3 (affected here) - 6.0.x (supported) -- 6.0.1 (affected by VS00004) [0] -- 6.1.1 (affected by VS00005) [1] -- 6.2.2 (affected by VS00005) [1] -- 6.3.0 (affected by VS00005) [1] -- 6.3.1 (affected by VS00005) [1] So, with this in mind, I think it looks right to stabilise 6.3.2 and drop 4.x, 5.x, the vulnerable in 6.x (and therefore abandon the existing stabilisation effort). [0] VS00004: https://varnish-cache.org/security/VSV00004.html#vsv00004 [1] VS00005: https://varnish-cache.org/security/VSV00005.html#vsv00005
[updating with assigned CVEs]
Resetting sanity check; package list is empty or all packages are done.
(In reply to Sam James (sec padawan) from comment #4) > I checked the site and noticed this bug doesn't cover all the vulnerable > versions in tree. I've summarised the versions which need to be culled here, > hopefully it's useful -- I needed it at least! > > - 4.x (it's EOL'd) (remove entirely) > -- 4.0.5 (EOL) > -- 4.1.8 (affected here) > -- 5.1.3 (affected here) > > - 5.x (it's EOL'd) (remove entirely) > > -- 5.2.1 (EOL) (affected by VS00004) [0] > -- 5.1.3 (affected here) > > - 6.0.x (supported) > -- 6.0.1 (affected by VS00004) [0] > -- 6.1.1 (affected by VS00005) [1] > -- 6.2.2 (affected by VS00005) [1] > -- 6.3.0 (affected by VS00005) [1] > -- 6.3.1 (affected by VS00005) [1] > > So, with this in mind, I think it looks right to stabilise 6.3.2 and drop > 4.x, 5.x, the vulnerable in 6.x (and therefore abandon the existing > stabilisation effort). > > [0] VS00004: https://varnish-cache.org/security/VSV00004.html#vsv00004 > [1] VS00005: https://varnish-cache.org/security/VSV00005.html#vsv00005 @maintainer(s), please see the quoted comment and act accordingly. Note that we also need some new versions: * 6.0.x needs 6.0.6 to be pulled in * 6.1.x is not LTS so drop * 6.2.x needs 6.2.3 to be pulled in
CVE-2019-15892 (https://nvd.nist.gov/vuln/detail/CVE-2019-15892): An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
I just added 6.0.6 and 6.3.2 which are currently supported upstream and need to be stabilized. I also added 6.4.0 but it does not need to be stabilized.
(In reply to Anthony Basile from comment #9) > I just added 6.0.6 and 6.3.2 which are currently supported upstream and need > to be stabilized. > > I also added 6.4.0 but it does not need to be stabilized. Thank you! :)
amd64 stable
x86 stable
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67c693d8070d897eb84367da82045268f0366a6b commit 67c693d8070d897eb84367da82045268f0366a6b Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-18 02:42:13 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-18 02:42:13 +0000 www-servers/varnish: drop vulnerable Bug: https://bugs.gentoo.org/637578 Signed-off-by: Aaron Bauman <bman@gentoo.org> www-servers/varnish/Manifest | 3 - www-servers/varnish/varnish-6.0.1.ebuild | 102 ------------------------------ www-servers/varnish/varnish-6.1.1.ebuild | 103 ------------------------------- www-servers/varnish/varnish-6.3.1.ebuild | 98 ----------------------------- 4 files changed, 306 deletions(-)
