Bug 33084

Summary: varnish new security issue CVE-2024-30156
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: varnish-7.3.0-1.mga9.src.rpm CVE: CVE-2024-30156
Status comment:

Description Nicolas Salguero 2024-04-10 15:19:33 CEST 
Oracle has issued an advisory on April 10:
https://lwn.net/Articles/969301/

The problem is fixed in version 7.3.2.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-10 15:20:02 CEST

Status comment: (none) => Fixed upstream in 7.3.2
Source RPM: (none) => varnish-7.3.0-1.mga9.src.rpm
CVE: (none) => CVE-2024-30156
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-10 21:03:17 CEST 
Another parentless package, assigning this version update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-04-11 16:03:57 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack. (CVE-2024-30156)

References:
https://lwn.net/Articles/969301/
========================

Updated packages in core/updates_testing:
========================
lib(6)4varnish3-7.3.2-1.mga9
lib(64)varnish-devel-7.3.2-1.mga9
varnish-7.3.2-1.mga9

from SRPM:
varnish-7.3.2-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Fixed upstream in 7.3.2 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Nicolas Salguero 2024-04-11 16:04:30 CEST 
Oops:

Updated packages in core/updates_testing:
========================
lib(64)varnish3-7.3.2-1.mga9
lib(64)varnish-devel-7.3.2-1.mga9
varnish-7.3.2-1.mga9

from SRPM:
varnish-7.3.2-1.mga9.src.rpm
katnatek 2024-04-12 01:00:32 CEST

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-04-12 01:39:57 CEST 
MGA9-64 Plasma in VirtualBox. No installation issues. Following a test procedure from bug 29290 comment 3, which traces back to Bug 18244 comment 2 (Thank you, Herman and Claire!)

[root@localhost ~]# systemctl start varnish.service
[root@localhost ~]# systemctl status varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
     Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-04-11 19:31:29 EDT; 23s ago
    Process: 97414 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thre>
   Main PID: 97415 (varnishd)
      Tasks: 31 (limit: 4690)
     Memory: 34.8M
        CPU: 488ms
     CGroup: /system.slice/varnish.service
             ├─97415 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thre>
             └─97428 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thre>

Apr 11 19:31:28 localhost.localdomain systemd[1]: Starting varnish.service...
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Version: varnish-7.3.2 revision 68818d9cc0e62df1b9c20daf7e8cb257c1869f0f
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Platform: Linux,6.6.22-desktop-1.mga9,x86_64,-jnone,-sfile,-sdefault,-hcritbit
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) Started
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child launched OK
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) said Child starts
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
Apr 11 19:31:29 localhost.localdomain systemd[1]: Started varnish.service.
[root@localhost ~]# systemctl status -l varnishncsa.service 
○ varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; preset: disabled)
     Active: inactive (dead)
[root@localhost ~]# systemctl start varnishncsa.service 
[root@localhost ~]# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-04-11 19:33:53 EDT; 6s ago
   Main PID: 100349 (varnishncsa)
      Tasks: 1 (limit: 4690)
     Memory: 252.0K
        CPU: 55ms
     CGroup: /system.slice/varnishncsa.service
             └─100349 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

Apr 11 19:33:53 localhost.localdomain systemd[1]: Started varnishncsa.service.
[root@localhost ~]# varnishadm status
Child in state running
[root@localhost ~]# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Thu, 11 Apr 2024 23:31:29 GMT

[root@localhost ~]# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,6.6.22-desktop-1.mga9,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-7.3.2 revision 68818d9cc0e62df1b9c20daf7e8cb257c1869f0f

Type 'help' for command list.
Type 'quit' to close CLI session.

All this compatible with the test results in the cited bugs.

OK for me. Validating.
Thomas Andrews 2024-04-12 01:41:02 CEST

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-04-12 22:46:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0124.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED