Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 880627 (CVE-2022-45059, CVE-2022-45060)

Summary: <www-servers/varnish-7.1.2: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 889962    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:20:50 UTC
CVE-2022-45059 (https://varnish-cache.org/security/VSV00010.html):

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

CVE-2022-45060 (https://varnish-cache.org/security/VSV00011.html):

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Please bump to 7.1.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-09 18:46:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3ec2b1ef6b6295b847a134f4a098bf109239fc

commit 3f3ec2b1ef6b6295b847a134f4a098bf109239fc
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-09 18:38:23 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-09 18:46:46 +0000

    www-servers/varnish: add 7.1.2
    
    Also reenable tests, disable the 4 tests that seem to be Gentoo-specific
    failures.
    
    Bug: https://bugs.gentoo.org/880627
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-servers/varnish/Manifest                       |   1 +
 .../files/varnish-7.1.2-disable-tests.patch        |  27 ++++++
 www-servers/varnish/varnish-7.1.2.ebuild           | 102 +++++++++++++++++++++
 3 files changed, 130 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-02 15:38:36 UTC
Ping. Any reason we still need to keep varnish 7.1.1-r1 around?
Comment 3 Larry the Git Cow gentoo-dev 2023-10-02 17:16:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6a7f44fed807998118b545a3bd564b001d4ac26

commit b6a7f44fed807998118b545a3bd564b001d4ac26
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-10-02 17:16:10 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-02 17:16:33 +0000

    www-servers/varnish: drop 7.1.1-r1
    
    Bug: https://bugs.gentoo.org/880627
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/varnish/Manifest                |   1 -
 www-servers/varnish/varnish-7.1.1-r1.ebuild | 103 ----------------------------
 2 files changed, 104 deletions(-)