Bug 30048 - varnish new security issue CVE-2022-23959
Summary: varnish new security issue CVE-2022-23959
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-14 22:51 CET by David Walser
Modified: 2022-02-22 21:16 CET (History)
7 users (show)

See Also:
Source RPM: varnish-6.5.1-1.1.mga8.src.rpm
CVE: CVE-2022-23959
Status comment:


Attachments

Description David Walser 2022-02-14 22:51:11 CET
Debian-LTS has issued an advisory today (February 14):
https://www.debian.org/lts/security/2022/dla-2920

The issue is fixed upstream in 6.6.2:
https://docs.varnish-software.com/security/VSV00008/

Mageia 8 is also affected.
David Walser 2022-02-14 22:51:23 CET

Status comment: (none) => Fixed upstream in 6.6.2
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-15 19:35:36 CET
This package is somewhat homeless, so assigning the bug globally.
CC'ing NicolasL & DavidG as being the last two to commit it. If either of you take it on board, please do change the assignement to yourself.

CC: (none) => geiger.david68210, mageia
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-02-16 22:40:45 CET
Fedora has issued an advisory for this today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
Comment 3 Nicolas Salguero 2022-02-18 09:53:59 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections. (CVE-2022-23959)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
https://www.debian.org/lts/security/2022/dla-2920
https://docs.varnish-software.com/security/VSV00008/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
========================

Updated packages in core/updates_testing:
========================
lib(64)varnish2-6.5.1-1.2.mga8
lib(64)varnish-devel-6.5.1-1.2.mga8
varnish-6.5.1-1.2.mga8

from SRPM:
varnish-6.5.1-1.2.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Source RPM: varnish-6.5.1-2.mga9.src.rpm => varnish-6.5.1-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Status comment: Fixed upstream in 6.6.2 => (none)
CVE: (none) => CVE-2022-23959
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 4 Herman Viaene 2022-02-21 11:46:11 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 29290 Comment 3 for testing.
# systemctl start varnish.service
# systemctl status -l varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
     Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-02-21 11:38:19 CET; 36s ago
    Process: 23623 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thre>
   Main PID: 23624 (varnishd)
      Tasks: 31 (limit: 9397)
     Memory: 30.2M
        CPU: 287ms
     CGroup: /system.slice/varnish.service
             ├─23624 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 ->
             └─23635 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thread_pool_max=1000 -p thread_pool_timeout=120 ->

feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: VCL compiled.
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Platform: Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Debug: Child (23635) Started
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) Started
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said Child starts
feb 21 11:38:19 mach5.hviaene.thuis varnishd[23624]: Child (23635) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
feb 21 11:38:19 mach5.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator.

# systemctl start varnishncsa.service 
# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-02-21 11:40:35 CET; 26s ago
   Main PID: 23784 (varnishncsa)
      Tasks: 1 (limit: 9397)
     Memory: 344.0K
        CPU: 201ms
     CGroup: /system.slice/varnishncsa.service
             └─23784 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

feb 21 11:40:35 mach5.hviaene.thuis systemd[1]: Started Varnish NCSA logging.

# varnishadm status
Child in state running

# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Mon, 21 Feb 2022 10:38:19 GMT

# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,5.15.23-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64

Type 'help' for command list.
Type 'quit' to close CLI session.

All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-02-22 04:16:03 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-22 19:50:07 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2022-02-22 21:16:23 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.