Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880627 (CVE-2022-45059, CVE-2022-45060) - <www-servers/varnish-7.1.2: multiple vulnerabilities
Summary: <www-servers/varnish-7.1.2: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-45059, CVE-2022-45060
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 889962
Blocks:
  Show dependency tree
 
Reported: 2022-11-09 16:20 UTC by John Helmert III
Modified: 2023-10-02 17:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-09 16:20:50 UTC 
CVE-2022-45059 (https://varnish-cache.org/security/VSV00010.html):

An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.

CVE-2022-45060 (https://varnish-cache.org/security/VSV00011.html):

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Please bump to 7.1.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-09 18:46:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3ec2b1ef6b6295b847a134f4a098bf109239fc

commit 3f3ec2b1ef6b6295b847a134f4a098bf109239fc
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-09 18:38:23 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-09 18:46:46 +0000

    www-servers/varnish: add 7.1.2
    
    Also reenable tests, disable the 4 tests that seem to be Gentoo-specific
    failures.
    
    Bug: https://bugs.gentoo.org/880627
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-servers/varnish/Manifest                       |   1 +
 .../files/varnish-7.1.2-disable-tests.patch        |  27 ++++++
 www-servers/varnish/varnish-7.1.2.ebuild           | 102 +++++++++++++++++++++
 3 files changed, 130 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-02 15:38:36 UTC 
Ping. Any reason we still need to keep varnish 7.1.1-r1 around?
Comment 3 Larry the Git Cow gentoo-dev 2023-10-02 17:16:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6a7f44fed807998118b545a3bd564b001d4ac26

commit b6a7f44fed807998118b545a3bd564b001d4ac26
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-10-02 17:16:10 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-02 17:16:33 +0000

    www-servers/varnish: drop 7.1.1-r1
    
    Bug: https://bugs.gentoo.org/880627
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/varnish/Manifest                |   1 -
 www-servers/varnish/varnish-7.1.1-r1.ebuild | 103 ----------------------------
 2 files changed, 104 deletions(-)