802219 – (CVE-2021-36740) <www-servers/varnish-6.5.2: HTTP request smuggling (CVE-2021-36740)

Bug 802219 (CVE-2021-36740) - <www-servers/varnish-6.5.2: HTTP request smuggling (CVE-2021-36740)

Summary: <www-servers/varnish-6.5.2: HTTP request smuggling (CVE-2021-36740)

Status:	RESOLVED FIXED

Alias:	CVE-2021-36740

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://docs.varnish-software.com/sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	810670
Blocks:
	Show dependency tree

Reported:	2021-07-15 05:29 UTC by John Helmert III
Modified:	2021-08-29 13:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-15 05:29:19 UTC

CVE-2021-36740:

Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.


Please bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:05 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:08 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:11 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:07 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:24 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 Anthony Basile gentoo-dev

2021-08-24 20:49:39 UTC

(In reply to John Helmert III from comment #0)
> CVE-2021-36740:
> 
> Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> authorization bypass via a large Content-Length header for a POST request.
> This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> 
> 
> Please bump.

Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone asked for those specific version.

Comment 9 John Helmert III archtester

2021-08-24 23:03:45 UTC

(In reply to Anthony Basile from comment #8)
> (In reply to John Helmert III from comment #0)
> > CVE-2021-36740:
> > 
> > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> > authorization bypass via a large Content-Length header for a POST request.
> > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> > 
> > 
> > Please bump.
> 
> Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that
> description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone
> asked for those specific version.

Thank you! Upstream advisory says they're vulnerable. Please file a stablereq when ready.

Comment 10 Anthony Basile gentoo-dev

2021-08-27 12:43:51 UTC

(In reply to John Helmert III from comment #9)
> (In reply to Anthony Basile from comment #8)
> > (In reply to John Helmert III from comment #0)
> > > CVE-2021-36740:
> > > 
> > > Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
> > > authorization bypass via a large Content-Length header for a POST request.
> > > This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
> > > and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
> > > 
> > > 
> > > Please bump.
> > 
> > Okay varnish 6.5.2 and 6.6.1 are in the tree.  But I'm not sure from that
> > description if 6.3.2 and 6.4.0 are affected.  If memory serves, someone
> > asked for those specific version.
> 
> Thank you! Upstream advisory says they're vulnerable. Please file a
> stablereq when ready.

I'm actually on both amd64 and x86 and tested.  They're fine. But its bad practice to stabilize your own packages just because you want a second eye.

Let's go for stabilizing 6.5.2 and 6.6.1.

Comment 11 John Helmert III archtester

2021-08-27 14:20:16 UTC

Thanks! Note we're detaching stabilization from security bugs, so I went ahead and filed a dedicated stabilization bug.

Comment 12 Anthony Basile gentoo-dev

2021-08-29 11:34:43 UTC

(In reply to John Helmert III from comment #11)
> Thanks! Note we're detaching stabilization from security bugs, so I went
> ahead and filed a dedicated stabilization bug.

The vulnerable versions are off the tree.  You may proceed with this bug.

Comment 13 John Helmert III archtester

2021-08-29 13:58:37 UTC

Thanks! GLSA vote: no. Closing