Fedora Linux 8647 Published by

A varnish-modules security update has been released for Fedora 37.



SECURITY: Fedora 37 Update: varnish-modules-0.20.0-4.fc37


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-0d5dcc031e
2022-11-23 01:15:30.165665
--------------------------------------------------------------------------------

Name : varnish-modules
Product : Fedora 37
Version : 0.20.0
Release : 4.fc37
URL :   https://github.com/varnish/varnish-modules
Summary : A collection of modules ("vmods") extending Varnish VCL
Description :
This is a collection of modules ("vmods") extending Varnish VCL used
for describing HTTP request/response policies with additional
capabilities. This collection contains the following vmods:
bodyaccess, header, saintmode, tcp, var, vsthrottle, xkey

--------------------------------------------------------------------------------
Update Information:

New upstream release: A security release. This release includes fix for
CVE-2022-45059 (VSV00011) and CVE-2022-45060 (VSV00010). From the upstream
release notes: VSV00010 Varnish Request Smuggling Vulnerability Date:
2022-11-08 A request smuggling attack can be performed on Varnish Cache servers
by requesting that certain headers are made hop-by-hop, preventing the Varnish
Cache servers from forwarding critical headers to the backend. Among the headers
that can be filtered this way are both Content-Length and Host, making it
possible for an attacker to both break the HTTP/1 protocol framing, and bypass
request to host routing in VCL. VSV00011 Varnish HTTP/2 Request Forgery
Vulnerability Date: 2022-11-08 A request forgery attack can be performed on
Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may
introduce characters through the HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to produce invalid
HTTP/1 requests to the backend. This may in turn be used to successfully exploit
vulnerabilities in a server behind the Varnish server.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Nov 14 2022 Ingvar Hagelund - 0.20.0-4
- Built for varnish-7.1.2
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2141842 - CVE-2022-45059 varnish: Request Smuggling Vulnerability [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=2141842
[ 2 ] Bug #2141847 - CVE-2022-45060 varnish: Request Forgery Vulnerability [fedora-all]
  https://bugzilla.redhat.com/show_bug.cgi?id=2141847
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-0d5dcc031e' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________