Bug 31121

Summary: varnish new security issue CVE-2022-45060
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: varnish-6.5.1-1.2.mga8.src.rpm CVE: CVE-2022-45060
Status comment:

Description David Walser 2022-11-14 18:35:07 CET 
openSUSE has issued an advisory on November 11:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/

The issue is fixed upstream in 6.0.11 and 7.2.1:
https://docs.varnish-software.com/security/VSV00011/

The other issue only affects 7.x, which we don't have yet.

Mageia 8 is also affected.
David Walser 2022-11-14 18:35:39 CET

Status comment: (none) => Fixed upstream in 6.0.11 and 7.2.1

Comment 1 Lewis Smith 2022-11-14 20:11:41 CET 
No particular maintainer evident for this pkg, so having to assign the updates globally.

Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-11-15 14:31:12 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. (CVE-2022-45060)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45060
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/
https://docs.varnish-software.com/security/VSV00011/
========================

Updated packages in core/updates_testing:
========================
lib(64)varnish2-6.5.1-1.3.mga8
lib(64)varnish-devel-6.5.1-1.3.mga8
varnish-6.5.1-1.3.mga8

from SRPM:
varnish-6.5.1-1.3.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 6.0.11 and 7.2.1 => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: varnish-6.5.1-4.mga9.src.rpm => varnish-6.5.1-1.2.mga8.src.rpm
CVE: (none) => CVE-2022-45060
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2022-11-17 16:12:23 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 30048 for testing
# systemctl start varnish.service
# systemctl status -l varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
     Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-11-17 16:06:43 CET; 17s ago
    Process: 12506 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 12>
   Main PID: 12507 (varnishd)
      Tasks: 31 (limit: 4364)
     Memory: 32.0M
        CPU: 1.398s
     CGroup: /system.slice/varnish.service
             ├─12507 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 ->
             └─12519 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 ->

Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: VCL compiled.
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Platform: Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-h>
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Platform: Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Child (12519) Started
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) Started
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) said Child starts
Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
Nov 17 16:06:43 mach7.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator.
# systemctl start varnishncsa.service 
# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2022-11-17 16:07:35 CET; 16s ago
   Main PID: 12593 (varnishncsa)
      Tasks: 1 (limit: 4364)
     Memory: 332.0K
        CPU: 253ms
     CGroup: /system.slice/varnishncsa.service
             └─12593 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

Nov 17 16:07:35 mach7.hviaene.thuis systemd[1]: Started Varnish NCSA logging.
# varnishadm status
Child in state running
# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Thu, 17 Nov 2022 15:06:43 GMT
# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64

Type 'help' for command list.
Type 'quit' to close CLI session.

All OK as in bug 30048

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-11-17 21:38:31 CET 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-18 22:40:22 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-11-18 23:52:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0434.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED