Fedora has issued an advisory on March 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/ The issue is fixed upstream in 6.3.2.
Done for mga7!
Advisory: ======================== Updated varnish packages fix security vulnerability: An assert can be triggered in Varnish Cache when using Varnish with a TLS termination proxy, and the proxy and Varnish use the PROXY version 2. The assert will cause Varnish to restart, and the cache will be empty after the restart (VSV00005). References: https://varnish-cache.org/security/VSV00005.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FWJNWSLEZGPJBSBKJBLCPFOAO36PCZ7N/ ======================== Updated packages in core/updates_testing: ======================== varnish-6.3.2-1.mga7 libvarnish2-6.3.2-1.mga7 libvarnish-devel-6.3.2-1.mga7 from varnish-6.3.2-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Followed bug 18244 Comment 2 for testing: # systemctl start varnish.service # systemctl status -l varnish.service ● varnish.service - Varnish a high-perfomance HTTP accelerator Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-04-02 12:00:20 CEST; 19s ago Process: 29409 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT> Main PID: 29410 (varnishd) Memory: 29.9M CGroup: /system.slice/varnish.service ├─29410 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -> └─30799 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -> Apr 02 12:00:18 mach5.hviaene.thuis systemd[1]: Starting Varnish a high-perfomance HTTP accelerator... Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Version: varnish-6.3.2 revision NOGIT Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sde> Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Version: varnish-6.3.2 revision NOGIT Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Platform: Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,-> Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29409]: Debug: Child (30799) Started Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) Started Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said Child starts Apr 02 12:00:20 mach5.hviaene.thuis varnishd[29410]: Child (30799) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824 Apr 02 12:00:20 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator. # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: inactive (dead) This is different from Claire's testing, here I need to start this separately # systemctl start varnishncsa.service # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-04-02 12:01:50 CEST; 3s ago Main PID: 4014 (varnishncsa) Memory: 252.0K CGroup: /system.slice/varnishncsa.service └─4014 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log Apr 02 12:01:50 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging. # varnishadm status Child in state running # varnishadm backend.list Backend name Admin Probe Health Last change boot.default healthy 0/0 healthy Thu, 02 Apr 2020 10:00:20 GMT # varnishadm banner ----------------------------- Varnish Cache CLI 1.0 ----------------------------- Linux,5.5.9-desktop-1.mga7,x86_64,-jnone,-sfile,-sdefault,-hcritbit varnish-6.3.2 revision NOGIT Type 'help' for command list. Type 'quit' to close CLI session. So OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0154.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This has been assigned CVE-2020-11653: https://lists.opensuse.org/opensuse-updates/2020-06/msg00058.html
Summary: varnish new security issue VSV00005 => varnish new security issue VSV00005 (CVE-2020-11653)