Fedora Linux 8647 Published by

A varnish-modules security update has been released for Fedora 37.

SECURITY: Fedora 37 Update: varnish-modules-0.20.0-4.fc37

Fedora Update Notification
2022-11-23 01:15:30.165665

Name : varnish-modules
Product : Fedora 37
Version : 0.20.0
Release : 4.fc37
URL :   https://github.com/varnish/varnish-modules
Summary : A collection of modules ("vmods") extending Varnish VCL
Description :
This is a collection of modules ("vmods") extending Varnish VCL used
for describing HTTP request/response policies with additional
capabilities. This collection contains the following vmods:
bodyaccess, header, saintmode, tcp, var, vsthrottle, xkey

Update Information:

New upstream release: A security release. This release includes fix for
CVE-2022-45059 (VSV00011) and CVE-2022-45060 (VSV00010). From the upstream
release notes: VSV00010 Varnish Request Smuggling Vulnerability Date:
2022-11-08 A request smuggling attack can be performed on Varnish Cache servers
by requesting that certain headers are made hop-by-hop, preventing the Varnish
Cache servers from forwarding critical headers to the backend. Among the headers
that can be filtered this way are both Content-Length and Host, making it
possible for an attacker to both break the HTTP/1 protocol framing, and bypass
request to host routing in VCL. VSV00011 Varnish HTTP/2 Request Forgery
Vulnerability Date: 2022-11-08 A request forgery attack can be performed on
Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may
introduce characters through the HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to produce invalid
HTTP/1 requests to the backend. This may in turn be used to successfully exploit
vulnerabilities in a server behind the Varnish server.

* Mon Nov 14 2022 Ingvar Hagelund - 0.20.0-4
- Built for varnish-7.1.2

[ 1 ] Bug #2141842 - CVE-2022-45059 varnish: Request Smuggling Vulnerability [fedora-all]
[ 2 ] Bug #2141847 - CVE-2022-45060 varnish: Request Forgery Vulnerability [fedora-all]

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-0d5dcc031e' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at