Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 864941 (CVE-2022-38150)

Summary: <www-servers/varnish-7.1.1: assertion failure via crafted request from backend
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://varnish-cache.org/security/VSV00009.html
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 864991    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-11 20:31:10 UTC 
CVE-2022-38150:

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

Pleaes bump to 7.1.1.
Comment 1 Anthony Basile gentoo-dev 2022-08-12 13:15:08 UTC 
I just put 7.1.1 in the tree.  Preliminary test on amd64 suggests that its ready for rapid stabilization.  I'll open a bug now.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-13 23:21:23 UTC 
Thanks!
Comment 3 Anthony Basile gentoo-dev 2022-08-14 15:24:57 UTC 
(In reply to John Helmert III from comment #2)
> Thanks!

7.1.1 is fully stable and I've taken all vulnerable versions off the tree.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:03:24 UTC 
Thanks! Impact is very low since this requires a malicious backend, so no GLSA, all done!