openSUSE-SU-2022:0148-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:0148-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2022:0148-1
Related
Published
2022-05-27T04:23:45Z
Modified
2022-05-27T04:23:45Z
Summary
Security update for varnish
Details

This update for varnish fixes the following issues:

varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959]

  • VCL: It is now possible to assign a BLOB value to a BODY variable, in addition to STRING as before.
  • VMOD: New STRING strftime(TIME time, STRING format) function for UTC formatting.

Update to release 6.6.1

  • CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability. [boo#1188470]

Update to release 6.6.0:

  • The bancutoff parameter now refers to the overall length of the ban list, including completed bans, where before only non-completed (“active”) bans were counted towards bancutoff.
  • Body bytes accounting has been fixed to always represent the number of body bytes moved on the wire, exclusive of protocol-specific overhead like HTTP/1 chunked encoding or HTTP/2 framing.
  • The connection close reason has been fixed to properly report SCRESPCLOSE where previously only SCREQCLOSE was reported.
  • Unless the new validate_headers feature is disabled, all newly set headers are now validated to contain only characters allowed by RFC7230.
  • The filterre, keepre and getre functions from the bundled cookie vmod have been changed to take the VCLREGEX type. This implies that their regular expression arguments now need to be literal, not e.g. string.
  • The interface for private pointers in VMODs has been changed, the VRT backend interface has been changed, many filter (VDP/VFP) related signatures have been changed, and the stevedore API has been changed. (Details thereto, see online changelog.)

Update to release 6.5.1

  • Bump the VRTMAJORVERSION number defined in the vrt.h

Update to release 6.5.0

  • PRIV_TOP is now thread-safe to support parallel ESI implementations.
  • varnishstat's JSON output format (-j option) has been changed.
  • Behavior for 304-type responses was changed not to update the Content-Encoding response header of the stored object.

  • Update Git-Web repository link

Update to release 6.4.0

  • The MAIN.sess_drop counter is gone.
  • backend 'none' was added for 'no backend'.
  • The hash algorithm of the hash director was changed, so backend selection will change once only when upgrading.
  • It is now possible for VMOD authors to customize the connection pooling of a dynamic backend.
  • For more, see changes.rst.

Update to release 6.3.2

  • Fix a denial of service vulnerability when using the proxy protocol version 2.

Update to release 6.3.0

  • The Host: header is folded to lower-case in the builtin_vcl.
  • Improved performance of shared memory statistics counters.
  • Synthetic objects created from vclbackenderror {} now replace existing stale objects as ordinary backend fetches would (for details see changes.rst)
References

Affected packages

SUSE:Package Hub 15 SP3 / varnish

Package

Name
varnish
Purl
pkg:rpm/suse/varnish&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.1.0-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "varnish-devel": "7.1.0-bp153.2.3.1",
            "libvarnishapi3": "7.1.0-bp153.2.3.1",
            "varnish": "7.1.0-bp153.2.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / varnish

Package

Name
varnish
Purl
pkg:rpm/opensuse/varnish&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.1.0-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "varnish-devel": "7.1.0-bp153.2.3.1",
            "libvarnishapi3": "7.1.0-bp153.2.3.1",
            "varnish": "7.1.0-bp153.2.3.1"
        }
    ]
}