Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802219 (CVE-2021-36740)

Summary: <www-servers/varnish-6.5.2: HTTP request smuggling (CVE-2021-36740)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://docs.varnish-software.com/security/VSV00007/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 810670    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-15 05:29:19 UTC
CVE-2021-36740:

Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.


Please bump.
Comment 1 NATTkA bot gentoo-dev Security 2021-07-29 17:21:01 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev Security 2021-07-29 17:29:09 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev Security 2021-07-29 17:37:05 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev Security 2021-07-29 17:45:08 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev Security 2021-07-29 17:53:11 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev Security 2021-07-29 18:01:07 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev Security 2021-07-29 18:09:24 UTC Comment hidden (obsolete)
Comment 8 Anthony Basile gentoo-dev 2021-08-24 20:49:39 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-36740:
> 
> Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> authorization bypass via a large Content-Length header for a POST request.
> This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> 
> 
> Please bump.

Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone asked for those specific version.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-24 23:03:45 UTC
(In reply to Anthony Basile from comment #8)
> (In reply to John Helmert III from comment #0)
> > CVE-2021-36740:
> > 
> > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> > authorization bypass via a large Content-Length header for a POST request.
> > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> > 
> > 
> > Please bump.
> 
> Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that
> description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone
> asked for those specific version.

Thank you! Upstream advisory says they're vulnerable. Please file a stablereq when ready.
Comment 10 Anthony Basile gentoo-dev 2021-08-27 12:43:51 UTC
(In reply to John Helmert III from comment #9)
> (In reply to Anthony Basile from comment #8)
> > (In reply to John Helmert III from comment #0)
> > > CVE-2021-36740:
> > > 
> > > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> > > authorization bypass via a large Content-Length header for a POST request.
> > > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> > > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> > > 
> > > 
> > > Please bump.
> > 
> > Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that
> > description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone
> > asked for those specific version.
> 
> Thank you! Upstream advisory says they're vulnerable. Please file a
> stablereq when ready.

I'm actually on both amd64 and x86 and tested.  They're fine. But its bad practice to stabilize your own packages just because you want a second eye.

Let's go for stabilizing 6.5.2 and 6.6.1.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-27 14:20:16 UTC
Thanks! Note we're detaching stabilization from security bugs, so I went ahead and filed a dedicated stabilization bug.
Comment 12 Anthony Basile gentoo-dev 2021-08-29 11:34:43 UTC
(In reply to John Helmert III from comment #11)
> Thanks! Note we're detaching stabilization from security bugs, so I went
> ahead and filed a dedicated stabilization bug.

The vulnerable versions are off the tree.  You may proceed with this bug.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-29 13:58:37 UTC
Thanks! GLSA vote: no. Closing