CVE-2022-45059 (https://varnish-cache.org/security/VSV00010.html): An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. CVE-2022-45060 (https://varnish-cache.org/security/VSV00011.html): An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. Please bump to 7.1.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3ec2b1ef6b6295b847a134f4a098bf109239fc commit 3f3ec2b1ef6b6295b847a134f4a098bf109239fc Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-09 18:38:23 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-09 18:46:46 +0000 www-servers/varnish: add 7.1.2 Also reenable tests, disable the 4 tests that seem to be Gentoo-specific failures. Bug: https://bugs.gentoo.org/880627 Signed-off-by: John Helmert III <ajak@gentoo.org> www-servers/varnish/Manifest | 1 + .../files/varnish-7.1.2-disable-tests.patch | 27 ++++++ www-servers/varnish/varnish-7.1.2.ebuild | 102 +++++++++++++++++++++ 3 files changed, 130 insertions(+)
Ping. Any reason we still need to keep varnish 7.1.1-r1 around?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6a7f44fed807998118b545a3bd564b001d4ac26 commit b6a7f44fed807998118b545a3bd564b001d4ac26 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2023-10-02 17:16:10 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-02 17:16:33 +0000 www-servers/varnish: drop 7.1.1-r1 Bug: https://bugs.gentoo.org/880627 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/varnish/Manifest | 1 - www-servers/varnish/varnish-7.1.1-r1.ebuild | 103 ---------------------------- 2 files changed, 104 deletions(-)