openSUSE has issued an advisory on November 11: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ The issue is fixed upstream in 6.0.11 and 7.2.1: https://docs.varnish-software.com/security/VSV00011/ The other issue only affects 7.x, which we don't have yet. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.0.11 and 7.2.1
No particular maintainer evident for this pkg, so having to assign the updates globally.
Whiteboard: (none) => MGA8TOOAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. (CVE-2022-45060) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45060 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ https://docs.varnish-software.com/security/VSV00011/ ======================== Updated packages in core/updates_testing: ======================== lib(64)varnish2-6.5.1-1.3.mga8 lib(64)varnish-devel-6.5.1-1.3.mga8 varnish-6.5.1-1.3.mga8 from SRPM: varnish-6.5.1-1.3.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 6.0.11 and 7.2.1 => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Source RPM: varnish-6.5.1-4.mga9.src.rpm => varnish-6.5.1-1.2.mga8.src.rpmCVE: (none) => CVE-2022-45060Status: NEW => ASSIGNED
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 30048 for testing # systemctl start varnish.service # systemctl status -l varnish.service ● varnish.service - Varnish a high-perfomance HTTP accelerator Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-11-17 16:06:43 CET; 17s ago Process: 12506 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 12> Main PID: 12507 (varnishd) Tasks: 31 (limit: 4364) Memory: 32.0M CPU: 1.398s CGroup: /system.slice/varnish.service ├─12507 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -> └─12519 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -> Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: VCL compiled. Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Platform: Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-h> Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Version: varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Platform: Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Debug: Child (12519) Started Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) Started Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) said Child starts Nov 17 16:06:43 mach7.hviaene.thuis varnishd[12507]: Child (12519) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824 Nov 17 16:06:43 mach7.hviaene.thuis systemd[1]: Started Varnish a high-perfomance HTTP accelerator. # systemctl start varnishncsa.service # systemctl status -l varnishncsa.service ● varnishncsa.service - Varnish NCSA logging Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-11-17 16:07:35 CET; 16s ago Main PID: 12593 (varnishncsa) Tasks: 1 (limit: 4364) Memory: 332.0K CPU: 253ms CGroup: /system.slice/varnishncsa.service └─12593 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log Nov 17 16:07:35 mach7.hviaene.thuis systemd[1]: Started Varnish NCSA logging. # varnishadm status Child in state running # varnishadm backend.list Backend name Admin Probe Health Last change boot.default healthy 0/0 healthy Thu, 17 Nov 2022 15:06:43 GMT # varnishadm banner ----------------------------- Varnish Cache CLI 1.0 ----------------------------- Linux,5.15.74-server-1.mga8,x86_64,-jnone,-sfile,-sdefault,-hcritbit varnish-6.5.1 revision 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 Type 'help' for command list. Type 'quit' to close CLI session. All OK as in bug 30048
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0434.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED