Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 557
Alerts This Week
Warning Icon 1 557

Ubuntu 22.04 LTS: USN-5474-1 Critical Varnish Cache Threats

ubuntu
Calendar Grey June 8, 2022
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-5475-1 highlights critical issues related to OpenSSH, providing insights about the impacted platforms and necessary patches for mitigation.
Several security issues were fixed in Varnish Cache.

Summary

Several security issues were fixed in Varnish Cache.

Software Description:

- varnish: state of the art, high-performance web accelerator

Details:

It was dicovered that Varnish Cache did not clear a pointer between the

handling of one client request and the next request within the same connection.

A remote attacker could possibly use this issue to obtain sensitive

information. (CVE-2019-20637)

It was discovered that Varnish Cache could have an assertion failure when a

TLS termination proxy uses PROXY version 2. A remote attacker could possibly

use this issue to restart the daemon and cause a performance loss.

(CVE-2020-11653)

It was discovered that Varnish Cache allowed request smuggling and VCL

authorization bypass via a large Content-Length header for a POST

request. A remote attacker could possibly use this issue to obtain sensitive

information. (CVE-2021-36740)

It was discovered that Varnish Cache allowed request smuggling for HTTP/1

connections. A remote attacker could po...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libvarnishapi2                  6.6.1-1ubuntu0.2
  varnish                         6.6.1-1ubuntu0.2

Ubuntu 21.10:
  libvarnishapi2                  6.5.2-1ubuntu0.2
  varnish                         6.5.2-1ubuntu0.2

Ubuntu 20.04 LTS:
  libvarnishapi2                  6.2.1-2ubuntu0.1
  varnish                         6.2.1-2ubuntu0.1

Ubuntu 18.04 LTS:
  libvarnishapi1                  5.2.1-1ubuntu0.1
  varnish                         5.2.1-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5474-1

CVE-2019-20637, CVE-2020-11653, CVE-2021-36740, CVE-2022-23959

Severity
critical
Lowest
Low
Medium
High
Critical

June 08, 2022

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.