CVE-2021-36740: Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8. Please bump.
Package list is empty or all packages have requested keywords.
(In reply to John Helmert III from comment #0) > CVE-2021-36740: > > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL > authorization bypass via a large Content-Length header for a POST request. > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8. > > > Please bump. Okay varnish 6.5.2 and 6.6.1 are in the tree. But I'm not sure from that description if 6.3.2 and 6.4.0 are affected. If memory serves, someone asked for those specific version.
(In reply to Anthony Basile from comment #8) > (In reply to John Helmert III from comment #0) > > CVE-2021-36740: > > > > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL > > authorization bypass via a large Content-Length header for a POST request. > > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x > > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8. > > > > > > Please bump. > > Okay varnish 6.5.2 and 6.6.1 are in the tree. But I'm not sure from that > description if 6.3.2 and 6.4.0 are affected. If memory serves, someone > asked for those specific version. Thank you! Upstream advisory says they're vulnerable. Please file a stablereq when ready.
(In reply to John Helmert III from comment #9) > (In reply to Anthony Basile from comment #8) > > (In reply to John Helmert III from comment #0) > > > CVE-2021-36740: > > > > > > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL > > > authorization bypass via a large Content-Length header for a POST request. > > > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x > > > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8. > > > > > > > > > Please bump. > > > > Okay varnish 6.5.2 and 6.6.1 are in the tree. But I'm not sure from that > > description if 6.3.2 and 6.4.0 are affected. If memory serves, someone > > asked for those specific version. > > Thank you! Upstream advisory says they're vulnerable. Please file a > stablereq when ready. I'm actually on both amd64 and x86 and tested. They're fine. But its bad practice to stabilize your own packages just because you want a second eye. Let's go for stabilizing 6.5.2 and 6.6.1.
Thanks! Note we're detaching stabilization from security bugs, so I went ahead and filed a dedicated stabilization bug.
(In reply to John Helmert III from comment #11) > Thanks! Note we're detaching stabilization from security bugs, so I went > ahead and filed a dedicated stabilization bug. The vulnerable versions are off the tree. You may proceed with this bug.
Thanks! GLSA vote: no. Closing