26404 – varnish new security issue VSV00005 (CVE-2020-11653)

Bug 26404 - varnish new security issue VSV00005 (CVE-2020-11653)

Summary: varnish new security issue VSV00005 (CVE-2020-11653)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-04-01 00:00 CEST by David Walser
Modified:	2020-06-18 21:48 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	varnish-6.3.1-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-01 00:00:33 CEST

Fedora has issued an advisory on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/

The issue is fixed upstream in 6.3.2.

Comment 1 David GEIGER 2020-04-01 06:06:37 CEST

Done for mga7!

Comment 2 David Walser 2020-04-01 22:18:27 CEST

Advisory:
========================

Updated varnish packages fix security vulnerability:

An assert can be triggered in Varnish Cache when using Varnish with a TLS
termination proxy, and the proxy and Varnish use the PROXY version 2. The
assert will cause Varnish to restart, and the cache will be empty after the
restart (VSV00005).

References:
https://varnish-cache.org/security/VSV00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/
========================

Updated packages in core/updates_testing:
========================
varnish-6.3.2-1.mga7
libvarnish2-6.3.2-1.mga7
libvarnish-devel-6.3.2-1.mga7

from varnish-6.3.2-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2020-04-02 12:09:12 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed bug 18244 Comment 2 for testing:
# systemctl start varnish.service
# systemctl status -l varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
   Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-02 12:00:20 CEST; 19s ago
  Process: 29409 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT>
 Main PID: 29410 (varnishd)
   Memory: 29.9M
   CGroup: /system.slice/varnish.service
           ├─29410 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 ->
           └─30799 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 ->

Apr 02 12:00:18 mach5.hviaene.thuis systemd[1]: Starting Varnish a high-perfomance HTTP accelerator...
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Version: varnish-6.3.2 revision NOGIT
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sde>
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Version: varnish-6.3.2 revision NOGIT
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,->
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Child (30799) Started
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) Started
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said Child starts
Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
Apr 02 12:00:20 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator.

# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
   Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
This is different from Claire's testing, here I need to start this separately
# systemctl start varnishncsa.service 
# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
   Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-02 12:01:50 CEST; 3s ago
 Main PID: 4014 (varnishncsa)
   Memory: 252.0K
   CGroup: /system.slice/varnishncsa.service
           └─4014 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

Apr 02 12:01:50 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging.

# varnishadm status
Child in state running

# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Thu, 02 Apr 2020 10:00:20 GMT


# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-6.3.2 revision NOGIT

Type 'help' for command list.
Type 'quit' to close CLI session.

So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-04-02 17:15:19 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-03 00:13:56 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-04-03 00:49:59 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0154.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2020-06-18 21:48:31 CEST

This has been assigned CVE-2020-11653:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00058.html

Summary: varnish new security issue VSV00005 => varnish new security issue VSV00005 (CVE-2020-11653)

Note You need to log in before you can comment on or make changes to this bug.