varnish:6 security update

エラータID: AXSA:2022-4527:01

Release date: 
Tuesday, December 27, 2022 - 01:52
Subject: 
varnish:6 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.

Security Fix(es):

* varnish: Request Forgery Vulnerability (CVE-2022-45060)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-45060
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Modularity name: varnish
Stream name: 6

Solution: 

Update packages.

CVEs: 
CVE-2022-45060
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
Additional Info: 

N/A

Download: 

SRPMS
  1. varnish-modules-0.15.0-6.module+el8+1576+d489c25e.src.rpm
    MD5: 968f50a02b738186398e2f37d6b77d94
    SHA-256: 545d7b37d612a06cddb82e4bf628a68b58221b2ffce2db7fcdb42846fcac1e3a
    Size: 431.38 kB
  2. varnish-6.0.8-2.module+el8+1576+d489c25e.1.src.rpm
    MD5: 8b2c468ef4af845d940d260930f5cad6
    SHA-256: d7bdcf3bbd157caa49ce71ea18be7303ad9f74171769df601f0cf98995fb7daa
    Size: 3.07 MB

Asianux Server 8 for x86_64
  1. varnish-modules-0.15.0-6.module+el8+1576+d489c25e.x86_64.rpm
    MD5: 59038907babb933a4dde75f160d986b0
    SHA-256: d5b6316cfd26c7c717373eae137dfc579f6dd3efe4821d244af9215b20d676ae
    Size: 81.62 kB
  2. varnish-modules-debugsource-0.15.0-6.module+el8+1576+d489c25e.x86_64.rpm
    MD5: c52a3cfc99112a3e0d0eb7a6447fb3b2
    SHA-256: 7c94043f85bc403dfa864428f5848fb5c4e398477916683829015fd219d926d8
    Size: 31.64 kB
  3. varnish-6.0.8-2.module+el8+1576+d489c25e.1.x86_64.rpm
    MD5: 5c9555e61b7734d8c581c2e69fbede90
    SHA-256: 9e752c087b3451779749bdbc002f49aa5255b6e30e129fbf17902b2e9b2cc5f8
    Size: 0.95 MB
  4. varnish-devel-6.0.8-2.module+el8+1576+d489c25e.1.x86_64.rpm
    MD5: 381a3b45b09b6ffb9b531e149936f84c
    SHA-256: 5f3b40646178a13a8df7a3aae60a6c16962082a4aee19602c23ec0f14776c99f
    Size: 131.13 kB
  5. varnish-docs-6.0.8-2.module+el8+1576+d489c25e.1.x86_64.rpm
    MD5: f5f3772920ee73176b59f72cabf1695f
    SHA-256: e3c2b38f44f8b9678252021515221083a3951fc187a62d8629513362bcc36d93
    Size: 633.74 kB