33084 – varnish new security issue CVE-2024-30156

Bug 33084 - varnish new security issue CVE-2024-30156

Summary: varnish new security issue CVE-2024-30156

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-04-10 15:19 CEST by Nicolas Salguero
Modified:	2024-04-12 22:46 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	varnish-7.3.0-1.mga9.src.rpm
CVE:	CVE-2024-30156
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-04-10 15:19:33 CEST

Oracle has issued an advisory on April 10:
https://lwn.net/Articles/969301/

The problem is fixed in version 7.3.2.

Mageia 9 is also affected.

Nicolas Salguero 2024-04-10 15:20:02 CEST

Status comment: (none) => Fixed upstream in 7.3.2
Source RPM: (none) => varnish-7.3.0-1.mga9.src.rpm
CVE: (none) => CVE-2024-30156
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-04-10 21:03:17 CEST

Another parentless package, assigning this version update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-04-11 16:03:57 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack. (CVE-2024-30156)

References:
https://lwn.net/Articles/969301/
========================

Updated packages in core/updates_testing:
========================
lib(6)4varnish3-7.3.2-1.mga9
lib(64)varnish-devel-7.3.2-1.mga9
varnish-7.3.2-1.mga9

from SRPM:
varnish-7.3.2-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9
Status comment: Fixed upstream in 7.3.2 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Nicolas Salguero 2024-04-11 16:04:30 CEST

Oops:

Updated packages in core/updates_testing:
========================
lib(64)varnish3-7.3.2-1.mga9
lib(64)varnish-devel-7.3.2-1.mga9
varnish-7.3.2-1.mga9

from SRPM:
varnish-7.3.2-1.mga9.src.rpm

katnatek 2024-04-12 01:00:32 CEST

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-04-12 01:39:57 CEST

MGA9-64 Plasma in VirtualBox. No installation issues. Following a test procedure from bug 29290 comment 3, which traces back to Bug 18244 comment 2 (Thank you, Herman and Claire!)

[root@localhost ~]# systemctl start varnish.service
[root@localhost ~]# systemctl status varnish.service
● varnish.service - Varnish a high-perfomance HTTP accelerator
     Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-04-11 19:31:29 EDT; 23s ago
    Process: 97414 ExecStart=/usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a ${ADDRESS}:${PORT} -T 127.0.0.1:6082 -t 120 -W epoll -p thre>
   Main PID: 97415 (varnishd)
      Tasks: 31 (limit: 4690)
     Memory: 34.8M
        CPU: 488ms
     CGroup: /system.slice/varnish.service
             ├─97415 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thre>
             └─97428 /usr/sbin/varnishd -P /run/varnish/varnish.pid -f /etc/varnish/default.vcl -a :6081 -T 127.0.0.1:6082 -t 120 -W epoll -p thread_pool_min=5 -p thre>

Apr 11 19:31:28 localhost.localdomain systemd[1]: Starting varnish.service...
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Version: varnish-7.3.2 revision 68818d9cc0e62df1b9c20daf7e8cb257c1869f0f
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Platform: Linux,6.6.22-desktop-1.mga9,x86_64,-jnone,-sfile,-sdefault,-hcritbit
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) Started
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child launched OK
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) said Child starts
Apr 11 19:31:29 localhost.localdomain varnishd[97415]: Child (97428) said SMF.s0 mmap'ed 1073741824 bytes of 1073741824
Apr 11 19:31:29 localhost.localdomain systemd[1]: Started varnish.service.
[root@localhost ~]# systemctl status -l varnishncsa.service 
○ varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; preset: disabled)
     Active: inactive (dead)
[root@localhost ~]# systemctl start varnishncsa.service 
[root@localhost ~]# systemctl status -l varnishncsa.service 
● varnishncsa.service - Varnish NCSA logging
     Loaded: loaded (/usr/lib/systemd/system/varnishncsa.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-04-11 19:33:53 EDT; 6s ago
   Main PID: 100349 (varnishncsa)
      Tasks: 1 (limit: 4690)
     Memory: 252.0K
        CPU: 55ms
     CGroup: /system.slice/varnishncsa.service
             └─100349 /usr/bin/varnishncsa -a -w /var/log/varnish/varnishncsa.log

Apr 11 19:33:53 localhost.localdomain systemd[1]: Started varnishncsa.service.
[root@localhost ~]# varnishadm status
Child in state running
[root@localhost ~]# varnishadm backend.list
Backend name   Admin      Probe    Health     Last change
boot.default   healthy    0/0      healthy    Thu, 11 Apr 2024 23:31:29 GMT

[root@localhost ~]# varnishadm banner
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,6.6.22-desktop-1.mga9,x86_64,-jnone,-sfile,-sdefault,-hcritbit
varnish-7.3.2 revision 68818d9cc0e62df1b9c20daf7e8cb257c1869f0f

Type 'help' for command list.
Type 'quit' to close CLI session.

All this compatible with the test results in the cited bugs.

OK for me. Validating.

Thomas Andrews 2024-04-12 01:41:02 CEST

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-04-12 22:46:02 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0124.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.