openSUSE: 2022:0148-1 important: varnish | LinuxSecurity.com

   openSUSE Security Update: Security update for varnish
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0148-1
Rating:             important
References:         #1181400 #1188470 #1195188 
Cross-References:   CVE-2021-36740 CVE-2022-23959
CVSS scores:
                    CVE-2021-36740 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
                    CVE-2021-36740 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-23959 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2022-23959 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that solves two vulnerabilities and has one
   errata is now available.

Description:

   This update for varnish fixes the following issues:

   varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959]

   * VCL: It is now possible to assign a BLOB value to a BODY variable, in
     addition to STRING as before.
   * VMOD: New STRING strftime(TIME time, STRING format) function for UTC
     formatting.

   Update to release 6.6.1

   * CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability.
     [boo#1188470]

   Update to release 6.6.0:

   * The ban_cutoff parameter now refers to the overall length of the ban
     list, including completed bans, where before only non-completed
     (???active???) bans were counted towards ban_cutoff.
   * Body bytes accounting has been fixed to always represent the number of
     body bytes moved on the wire, exclusive of protocol-specific overhead
     like HTTP/1 chunked encoding or HTTP/2 framing.
   * The connection close reason has been fixed to properly report
     SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported.
   * Unless the new validate_headers feature is disabled, all newly set
     headers are now validated to contain only characters allowed by RFC7230.
   * The filter_re, keep_re and get_re functions from the bundled cookie vmod
     have been changed to take the VCL_REGEX type. This implies that their
     regular expression arguments now need to be literal, not e.g. string.
   * The interface for private pointers in VMODs has been changed, the VRT
     backend interface has been changed, many filter (VDP/VFP) related
     signatures have been changed, and the stevedore API has been changed.
     (Details thereto, see online changelog.)

   Update to release 6.5.1

   * Bump the VRT_MAJOR_VERSION number defined in the vrt.h

   Update to release 6.5.0

   * `PRIV_TOP` is now thread-safe to support parallel ESI implementations.
   * varnishstat's JSON output format (-j option) has been changed.
   * Behavior for 304-type responses was changed not to update the
     Content-Encoding response header of the stored object.

   - Update Git-Web repository link

   Update to release 6.4.0

   * The MAIN.sess_drop counter is gone.
   * backend "none" was added for "no backend".
   * The hash algorithm of the hash director was changed, so backend
     selection will change once only when upgrading.
   * It is now possible for VMOD authors to customize the connection pooling
     of a dynamic backend.
   * For more, see changes.rst.

   Update to release 6.3.2

   * Fix a denial of service vulnerability when using the proxy protocol
     version 2.

   Update to release 6.3.0

   * The Host: header is folded to lower-case in the builtin_vcl.
   * Improved performance of shared memory statistics counters.
   * Synthetic objects created from vcl_backend_error {} now replace existing
     stale objects as ordinary backend fetches would (for details see
     changes.rst)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-148=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      libvarnishapi3-7.1.0-bp153.2.3.1
      varnish-7.1.0-bp153.2.3.1
      varnish-devel-7.1.0-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-36740.html
   https://www.suse.com/security/cve/CVE-2022-23959.html
   https://bugzilla.suse.com/1181400
   https://bugzilla.suse.com/1188470
   https://bugzilla.suse.com/1195188

openSUSE: 2022:0148-1 important: varnish

May 27, 2022
An update that solves two vulnerabilities and has one errata is now available

Description

This update for varnish fixes the following issues: varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959] * VCL: It is now possible to assign a BLOB value to a BODY variable, in addition to STRING as before. * VMOD: New STRING strftime(TIME time, STRING format) function for UTC formatting. Update to release 6.6.1 * CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability. [boo#1188470] Update to release 6.6.0: * The ban_cutoff parameter now refers to the overall length of the ban list, including completed bans, where before only non-completed (???active???) bans were counted towards ban_cutoff. * Body bytes accounting has been fixed to always represent the number of body bytes moved on the wire, exclusive of protocol-specific overhead like HTTP/1 chunked encoding or HTTP/2 framing. * The connection close reason has been fixed to properly report SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported. * Unless the new validate_headers feature is disabled, all newly set headers are now validated to contain only characters allowed by RFC7230. * The filter_re, keep_re and get_re functions from the bundled cookie vmod have been changed to take the VCL_REGEX type. This implies that their regular expression arguments now need to be literal, not e.g. string. * The interface for private pointers in VMODs has been changed, the VRT backend interface has been changed, many filter (VDP/VFP) related signatures have been changed, and the stevedore API has been changed. (Details thereto, see online changelog.) Update to release 6.5.1 * Bump the VRT_MAJOR_VERSION number defined in the vrt.h Update to release 6.5.0 * `PRIV_TOP` is now thread-safe to support parallel ESI implementations. * varnishstat's JSON output format (-j option) has been changed. * Behavior for 304-type responses was changed not to update the Content-Encoding response header of the stored object. - Update Git-Web repository link Update to release 6.4.0 * The MAIN.sess_drop counter is gone. * backend "none" was added for "no backend". * The hash algorithm of the hash director was changed, so backend selection will change once only when upgrading. * It is now possible for VMOD authors to customize the connection pooling of a dynamic backend. * For more, see changes.rst. Update to release 6.3.2 * Fix a denial of service vulnerability when using the proxy protocol version 2. Update to release 6.3.0 * The Host: header is folded to lower-case in the builtin_vcl. * Improved performance of shared memory statistics counters. * Synthetic objects created from vcl_backend_error {} now replace existing stale objects as ordinary backend fetches would (for details see changes.rst)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-148=1


Package List

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): libvarnishapi3-7.1.0-bp153.2.3.1 varnish-7.1.0-bp153.2.3.1 varnish-devel-7.1.0-bp153.2.3.1


References

https://www.suse.com/security/cve/CVE-2021-36740.html https://www.suse.com/security/cve/CVE-2022-23959.html https://bugzilla.suse.com/1181400 https://bugzilla.suse.com/1188470 https://bugzilla.suse.com/1195188


Severity
Announcement ID: openSUSE-SU-2022:0148-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP3 ble. Affected Products: openSUSE Backports SLE-15-SP3 ble.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.