Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880627 (CVE-2022-45059, CVE-2022-45060) - <www-servers/varnish-7.1.2: multiple vulnerabilities
Summary: <www-servers/varnish-7.1.2: multiple vulnerabilities
Alias: CVE-2022-45059, CVE-2022-45060
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: 889962
  Show dependency tree
Reported: 2022-11-09 16:20 UTC by John Helmert III
Modified: 2023-10-02 17:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:20:50 UTC
CVE-2022-45059 (

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

CVE-2022-45060 (

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Please bump to 7.1.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-09 18:46:57 UTC
The bug has been referenced in the following commit(s):

commit 3f3ec2b1ef6b6295b847a134f4a098bf109239fc
Author:     John Helmert III <>
AuthorDate: 2022-11-09 18:38:23 +0000
Commit:     John Helmert III <>
CommitDate: 2022-11-09 18:46:46 +0000

    www-servers/varnish: add 7.1.2
    Also reenable tests, disable the 4 tests that seem to be Gentoo-specific
    Signed-off-by: John Helmert III <>

 www-servers/varnish/Manifest                       |   1 +
 .../files/varnish-7.1.2-disable-tests.patch        |  27 ++++++
 www-servers/varnish/varnish-7.1.2.ebuild           | 102 +++++++++++++++++++++
 3 files changed, 130 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-02 15:38:36 UTC
Ping. Any reason we still need to keep varnish 7.1.1-r1 around?
Comment 3 Larry the Git Cow gentoo-dev 2023-10-02 17:16:54 UTC
The bug has been referenced in the following commit(s):

commit b6a7f44fed807998118b545a3bd564b001d4ac26
Author:     Hans de Graaff <>
AuthorDate: 2023-10-02 17:16:10 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-10-02 17:16:33 +0000

    www-servers/varnish: drop 7.1.1-r1
    Signed-off-by: Hans de Graaff <>

 www-servers/varnish/Manifest                |   1 -
 www-servers/varnish/varnish-7.1.1-r1.ebuild | 103 ----------------------------
 2 files changed, 104 deletions(-)