Fedora has issued an advisory today (July 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/ The issue is fixed upstream in 6.5.2: https://varnish-cache.org/security/VSV00007.html Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.5.2Whiteboard: (none) => MGA8TOO
fixed in mga8/9: src: - varnish-6.5.1-1.1.mga8
Version: Cauldron => 8Assignee: geiger.david68210 => qa-bugsStatus comment: Fixed upstream in 6.5.2 => (none)CC: (none) => mageia
varnish-6.5.1-1.1.mga8 libvarnish2-6.5.1-1.1.mga8 libvarnish-devel-6.5.1-1.1.mga8 from varnish-6.5.1-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues. I don't know what this really does accellerate, but ta least it does not harm. Ref bug 26404 Comment 3 for testing. # systemctl start varnish.service # systemctl status -l varnish.service ● varnish.service - Varnish a high-perfomance HTTP accelerator Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-07-28 15:19:08 CEST; 27s ago Process: 16366 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p threa> Main PID: 16367 (varnishd) Tasks: 32 (limit: 9402) Memory: 32.3M CPU: 280ms CGroup: /system.slice/varnish.service ├─16367 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p th> └─16380 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p th> jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: VCL compiled. jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Debug: Platform: Linux,5.10.52-desktop-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Platform: Linux,5.10.52-desktop-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Debug: Child (16380) Started jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Child (16380) Started jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Child (16380) said Child starts jul 28 15:19:08 mach5.hviaene.thuis varnishd[16367]: Child (16380) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824 jul 28 15:19:08 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator. # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start varnishncsa.service # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-07-28 15:20:29 CEST; 15s ago Main PID: 16614 (varnishncsa) Tasks: 1 (limit: 9402) Memory: 328.0K CPU: 115ms CGroup: /system.slice/varnishncsa.service └─16614 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log jul 28 15:20:29 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging. # varnishadm status Child in state running # varnishadm backend.list Backend name Admin Probe Health Last change boot.default healthy 0/0 healthy Wed, 28 Jul 2021 13:19:08 GMT # varnishadm banner ----------------------------- Varnish Cache CLI 1.0 ----------------------------- Linux,5.10.52-desktop-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 Type 'help' for command list. Type 'quit' to close CLI session. so OK for me.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Advisory: ======================== Updated varnish packages fix security vulnerability: Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8 (CVE-2021-36740). References: - https://bugs.mageia.org/show_bug.cgi?id=29290 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36740 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/ - https://varnish-cache.org/security/VSV00007.html ======================== Updated packages in core/updates_testing: ======================== lib(64)varnish-devel-6.5.1-1.1.mga8 lib(64)varnish2-6.5.1-1.1.mga8 varnish-6.5.1-1.1.mga8 from SRPM: varnish-6.5.1-1.1.mga8.src.rpm
CC: (none) => ouaurelien
Validating.
Keywords: (none) => advisory, validated_updateCVE: (none) => CVE-2021-36740CC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0387.html
Status: NEW => RESOLVEDResolution: (none) => FIXED