Debian-LTS has issued an advisory today (February 14): https://www.debian.org/lts/security/2022/dla-2920 The issue is fixed upstream in 6.6.2: https://docs.varnish-software.com/security/VSV00008/ Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.6.2Whiteboard: (none) => MGA8TOO
This package is somewhat homeless, so assigning the bug globally. CC'ing NicolasL & DavidG as being the last two to commit it. If either of you take it on board, please do change the assignement to yourself.
CC: (none) => geiger.david68210, mageiaAssignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this today (February 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. (CVE-2022-23959) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959 https://www.debian.org/lts/security/2022/dla-2920 https://docs.varnish-software.com/security/VSV00008/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/ ======================== Updated packages in core/updates_testing: ======================== lib(64)varnish2-6.5.1-1.2.mga8 lib(64)varnish-devel-6.5.1-1.2.mga8 varnish-6.5.1-1.2.mga8 from SRPM: varnish-6.5.1-1.2.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsSource RPM: varnish-6.5.1-2.mga9.src.rpm => varnish-6.5.1-1.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)Version: Cauldron => 8Status comment: Fixed upstream in 6.6.2 => (none)CVE: (none) => CVE-2022-23959Status: NEW => ASSIGNEDCC: (none) => nicolas.salguero
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues Ref bug 29290 Comment 3 for testing. # systemctl start varnish.service # systemctl status -l varnish.service ● varnish.service - Varnish a high-perfomance HTTP accelerator Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2022-02-21 11:38:19 CET; 36s ago Process: 23623 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thre> Main PID: 23624 (varnishd) Tasks: 31 (limit: 9397) Memory: 30.2M CPU: 287ms CGroup: /system.slice/varnish.service ├─23624 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 -> └─23635 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 -> feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: VCL compiled. feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Child (23635) Started feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) Started feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said Child starts feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824 feb 21 11:38:19 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator. # systemctl start varnishncsa.service # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2022-02-21 11:40:35 CET; 26s ago Main PID: 23784 (varnishncsa) Tasks: 1 (limit: 9397) Memory: 344.0K CPU: 201ms CGroup: /system.slice/varnishncsa.service └─23784 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log feb 21 11:40:35 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging. # varnishadm status Child in state running # varnishadm backend.list Backend name Admin Probe Health Last change boot.default healthy 0/0 healthy Mon, 21 Feb 2022 10:38:19 GMT # varnishadm banner ----------------------------- Varnish Cache CLI 1.0 ----------------------------- Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 Type 'help' for command list. Type 'quit' to close CLI session. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0079.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED