Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637578 (CVE-2017-8807, CVE-2019-15892, CVE-2019-20637, CVE-2020-11653) - <www-servers/varnish-{6.0.6,6.3.2}: Multiple vulnerabilities (CVE-2017-8807, CVE-2019-15892, CVE-2020-{11653,20637})
Summary: <www-servers/varnish-{6.0.6,6.3.2}: Multiple vulnerabilities (CVE-2017-8807, ...
Status: RESOLVED FIXED
Alias: CVE-2017-8807, CVE-2019-15892, CVE-2019-20637, CVE-2020-11653
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://varnish-cache.org/security/VS...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-15 13:37 UTC by Francis Booth
Modified: 2020-06-18 02:43 UTC (History)
1 user (show)

See Also:
Package list:
=www-servers/varnish-6.0.6 amd64 x86 =www-servers/varnish-6.3.2 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-11-15 13:37:14 UTC
'shamger' and Carlo Cannas discovered that a programming error in
Varnish, a state of the art, high-performance web accelerator, may
result in disclosure of memory contents or denial of service.

An invalid if statement can cause the over-allocation of memory causing a segfault in the application.

Reproducible: Didn't try
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 19:05:51 UTC
Fixed in
4.1.9 and forward
5.2.1 and forward

Please Update
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-13 23:56:28 UTC
(In reply to Yury German from comment #1)
> Fixed in
> 4.1.9 and forward
> 5.2.1 and forward
> 
> Please Update

Seems that 4.1.0 - 5.2.0 is affected, so in tree, these are still problematic:
- 4.1.8
- 5.1.3

(note that <4.1.0 not affected)
Comment 3 Anthony Basile gentoo-dev 2020-03-14 22:29:52 UTC
(In reply to sam_c (Security Padawan) from comment #2)
> (In reply to Yury German from comment #1)
> > Fixed in
> > 4.1.9 and forward
> > 5.2.1 and forward
> > 
> > Please Update
> 
> Seems that 4.1.0 - 5.2.0 is affected, so in tree, these are still
> problematic:
> - 4.1.8
> - 5.1.3
> 
> (note that <4.1.0 not affected)

yep, I'm just waiting for 5.2.1 to be stabilized on x86.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 03:47:28 UTC
I checked the site and noticed this bug doesn't cover all the vulnerable versions in tree. I've summarised the versions which need to be culled here, hopefully it's useful -- I needed it at least!

- 4.x (it's EOL'd) (remove entirely)
-- 4.0.5 (EOL)
-- 4.1.8 (affected here)
-- 5.1.3 (affected here)

- 5.x (it's EOL'd) (remove entirely)

-- 5.2.1 (EOL) (affected by VS00004) [0]
-- 5.1.3 (affected here)

- 6.0.x (supported)
-- 6.0.1 (affected by VS00004) [0]
-- 6.1.1 (affected by VS00005) [1]
-- 6.2.2 (affected by VS00005) [1]
-- 6.3.0 (affected by VS00005) [1]
-- 6.3.1 (affected by VS00005) [1]

So, with this in mind, I think it looks right to stabilise 6.3.2 and drop 4.x, 5.x, the vulnerable in 6.x (and therefore abandon the existing stabilisation effort).

[0] VS00004: https://varnish-cache.org/security/VSV00004.html#vsv00004
[1] VS00005: https://varnish-cache.org/security/VSV00005.html#vsv00005
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 23:49:06 UTC
[updating with assigned CVEs]
Comment 6 NATTkA bot gentoo-dev 2020-04-12 19:31:14 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 21:53:20 UTC
(In reply to Sam James (sec padawan) from comment #4)
> I checked the site and noticed this bug doesn't cover all the vulnerable
> versions in tree. I've summarised the versions which need to be culled here,
> hopefully it's useful -- I needed it at least!
> 
> - 4.x (it's EOL'd) (remove entirely)
> -- 4.0.5 (EOL)
> -- 4.1.8 (affected here)
> -- 5.1.3 (affected here)
> 
> - 5.x (it's EOL'd) (remove entirely)
> 
> -- 5.2.1 (EOL) (affected by VS00004) [0]
> -- 5.1.3 (affected here)
> 
> - 6.0.x (supported)
> -- 6.0.1 (affected by VS00004) [0]
> -- 6.1.1 (affected by VS00005) [1]
> -- 6.2.2 (affected by VS00005) [1]
> -- 6.3.0 (affected by VS00005) [1]
> -- 6.3.1 (affected by VS00005) [1]
> 
> So, with this in mind, I think it looks right to stabilise 6.3.2 and drop
> 4.x, 5.x, the vulnerable in 6.x (and therefore abandon the existing
> stabilisation effort).
> 
> [0] VS00004: https://varnish-cache.org/security/VSV00004.html#vsv00004
> [1] VS00005: https://varnish-cache.org/security/VSV00005.html#vsv00005

@maintainer(s), please see the quoted comment and act accordingly.

Note that we also need some new versions:
* 6.0.x needs 6.0.6 to be pulled in
* 6.1.x is not LTS so drop
* 6.2.x needs 6.2.3 to be pulled in
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-04-19 08:57:29 UTC
CVE-2019-15892 (https://nvd.nist.gov/vuln/detail/CVE-2019-15892):
  An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and
  6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to
  trigger an assert by sending crafted HTTP/1 requests. The assert will cause
  an automatic restart with a clean cache, which makes it a Denial of Service
  attack.
Comment 9 Anthony Basile gentoo-dev 2020-04-20 15:06:21 UTC
I just added 6.0.6 and 6.3.2 which are currently supported upstream and need to be stabilized.

I also added 6.4.0 but it does not need to be stabilized.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-20 15:15:20 UTC
(In reply to Anthony Basile from comment #9)
> I just added 6.0.6 and 6.3.2 which are currently supported upstream and need
> to be stabilized.
> 
> I also added 6.4.0 but it does not need to be stabilized.

Thank you! :)
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 14:15:17 UTC
amd64 stable
Comment 12 Thomas Deutschmann gentoo-dev 2020-04-26 23:48:52 UTC
x86 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-27 00:15:28 UTC
@maintainer(s), please cleanup
Comment 14 Larry the Git Cow gentoo-dev 2020-06-18 02:42:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67c693d8070d897eb84367da82045268f0366a6b

commit 67c693d8070d897eb84367da82045268f0366a6b
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-18 02:42:13 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-18 02:42:13 +0000

    www-servers/varnish: drop vulnerable
    
    Bug: https://bugs.gentoo.org/637578
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 www-servers/varnish/Manifest             |   3 -
 www-servers/varnish/varnish-6.0.1.ebuild | 102 ------------------------------
 www-servers/varnish/varnish-6.1.1.ebuild | 103 -------------------------------
 www-servers/varnish/varnish-6.3.1.ebuild |  98 -----------------------------
 4 files changed, 306 deletions(-)