Bug 30048

This package is somewhat homeless, so assigning the bug globally.
CC'ing NicolasL & DavidG as being the last two to commit it. If either of you take it on board, please do change the assignement to yourself.

CC: (none) => geiger.david68210, mageia
Assignee: bugsquad => pkg-bugs

Fedora has issued an advisory for this today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. (CVE-2022-23959)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
https://www.debian.org/lts/security/2022/dla-2920
https://docs.varnish-software.com/security/VSV00008/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
========================

Updated packages in core/updates_testing:
========================
lib(64)varnish2-6.5.1-1.2.mga8
lib(64)varnish-devel-6.5.1-1.2.mga8
varnish-6.5.1-1.2.mga8

from SRPM:
varnish-6.5.1-1.2.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: varnish-6.5.1-2.mga9.src.rpm => varnish-6.5.1-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 6.6.2 => (none)
CVE: (none) => CVE-2022-23959
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 29290 Comment 3 for testing.
# systemctl start varnish.service
# systemctl status -l varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
     Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-02-21 11:38:19 CET; 36s ago
    Process: 23623 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thre>
   Main PID: 23624 (varnishd)
      Tasks: 31 (limit: 9397)
     Memory: 30.2M
        CPU: 287ms
     CGroup: /system.slice/varnish.service
             ├─23624 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 ->
             └─23635 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 ->

feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: VCL compiled.
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Child (23635) Started
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) Started
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said Child starts
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
feb 21 11:38:19 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator.

# systemctl start varnishncsa.service 
# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-02-21 11:40:35 CET; 26s ago
   Main PID: 23784 (varnishncsa)
      Tasks: 1 (limit: 9397)
     Memory: 344.0K
        CPU: 201ms
     CGroup: /system.slice/varnishncsa.service
             └─23784 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

feb 21 11:40:35 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging.

# varnishadm status
Child in state running

# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Mon, 21 Feb 2022 10:38:19 GMT

# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64

Type 'help' for command list.
Type 'quit' to close CLI session.

All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED