Mageia 8 MGASA-2021-0387 Critical: Varnish Request Smuggling
mageia
July 28, 2021
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request
Summary
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL
authorization bypass via a large Content-Length header for a POST request.
This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x
and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8
(CVE-2021-36740).
References
- https://bugs.mageia.org/show_bug.cgi?id=29290
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/
- https://vinyl-cache.org/security/VSV00007.html
- https://www.cve.org/CVERecord?id=CVE-2021-36740
Resolution
SRPMS
- 8/core/varnish-6.5.1-1.1.mga8
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 28 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0387.html
Type: security
CVE: CVE-2021-36740
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!