Bug 26404

Summary: varnish new security issue VSV00005 (CVE-2020-11653)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: varnish-6.3.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-04-01 00:00:33 CEST 
Fedora has issued an advisory on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/

The issue is fixed upstream in 6.3.2.
Comment 1 David GEIGER 2020-04-01 06:06:37 CEST 
Done for mga7!
Comment 2 David Walser 2020-04-01 22:18:27 CEST 
Advisory:
========================

Updated varnish packages fix security vulnerability:

An assert can be triggered in Varnish Cache when using Varnish with a TLS
termination proxy, and the proxy and Varnish use the PROXY version 2. The
assert will cause Varnish to restart, and the cache will be empty after the
restart (VSV00005).

References:
https://varnish-cache.org/security/VSV00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/
========================

Updated packages in core/updates_testing:
========================
varnish-6.3.2-1.mga7
libvarnish2-6.3.2-1.mga7
libvarnish-devel-6.3.2-1.mga7

from varnish-6.3.2-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2020-04-02 12:09:12 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed bug 18244 Comment 2 for testing:
# systemctl start varnish.service
# systemctl status -l varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
   Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-02 12:00:20 CEST; 19s ago
  Process: 29409 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT>
 Main PID: 29410 (varnishd)
   Memory: 29.9M
   CGroup: /system.slice/varnish.service
           ├─29410 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 ->
           └─30799 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 ->

Apr 02 12:00:18 mach5.hviaene.thuis systemd[1]: Starting Varnish a high-perfomance HTTP accelerator...
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Version: varnish-6.3.2 revision NOGIT
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sde>
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Version: varnish-6.3.2 revision NOGIT
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,->
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Child (30799) Started
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) Started
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said Child starts
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
Apr 02 12:00:20 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator.

# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
   Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
This is different from Claire's testing, here I need to start this separately
# systemctl start varnishncsa.service 
# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
   Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-02 12:01:50 CEST; 3s ago
 Main PID: 4014 (varnishncsa)
   Memory: 252.0K
   CGroup: /system.slice/varnishncsa.service
           └─4014 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

Apr 02 12:01:50 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging.

# varnishadm status
Child in state running

# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Thu, 02 Apr 2020 10:00:20 GMT


# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-6.3.2 revision NOGIT

Type 'help' for command list.
Type 'quit' to close CLI session.

So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-04-02 17:15:19 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-03 00:13:56 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-04-03 00:49:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0154.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2020-06-18 21:48:31 CEST 
This has been assigned CVE-2020-11653:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00058.html

Summary: varnish new security issue VSV00005 => varnish new security issue VSV00005 (CVE-2020-11653)