Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880627 (CVE-2022-45059, CVE-2022-45060) - <www-servers/varnish-7.1.2: multiple vulnerabilities
Summary: <www-servers/varnish-7.1.2: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-45059, CVE-2022-45060
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 889962
Blocks:
  Show dependency tree
 
Reported: 2022-11-09 16:20 UTC by John Helmert III
Modified: 2023-01-28 20:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:20:50 UTC
CVE-2022-45059 (https://varnish-cache.org/security/VSV00010.html):

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

CVE-2022-45060 (https://varnish-cache.org/security/VSV00011.html):

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Please bump to 7.1.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-09 18:46:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3ec2b1ef6b6295b847a134f4a098bf109239fc

commit 3f3ec2b1ef6b6295b847a134f4a098bf109239fc
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-09 18:38:23 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-09 18:46:46 +0000

    www-servers/varnish: add 7.1.2
    
    Also reenable tests, disable the 4 tests that seem to be Gentoo-specific
    failures.
    
    Bug: https://bugs.gentoo.org/880627
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-servers/varnish/Manifest                       |   1 +
 .../files/varnish-7.1.2-disable-tests.patch        |  27 ++++++
 www-servers/varnish/varnish-7.1.2.ebuild           | 102 +++++++++++++++++++++
 3 files changed, 130 insertions(+)