Security update for varnish SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10198-1 Final 1 1 2022-11-11T11:15:39Z current 2022-11-11T11:15:39Z 2022-11-11T11:15:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for varnish This update for varnish fixes the following issues: Update to 7.2.1: - CVE-2022-45059: Fixed a HTTP request smuggling via hop-by-hop headers (boo#1205243). - CVE-2022-45060: Fixed a HTTP request forgery via character injection through HTTP/2 pseudo-headers (boo#1205242). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10198 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ E-Mail link for openSUSE-SU-2022:10198-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205242 SUSE Bug 1205242 https://bugzilla.suse.com/1205243 SUSE Bug 1205243 https://www.suse.com/security/cve/CVE-2022-45059/ SUSE CVE CVE-2022-45059 page https://www.suse.com/security/cve/CVE-2022-45060/ SUSE CVE CVE-2022-45060 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 libvarnishapi3-7.2.1-bp154.2.9.1 varnish-7.2.1-bp154.2.9.1 varnish-devel-7.2.1-bp154.2.9.1 libvarnishapi3-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 varnish-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 varnish-devel-7.2.1-bp154.2.9.1 as a component of SUSE Package Hub 15 SP4 libvarnishapi3-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 varnish-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 varnish-devel-7.2.1-bp154.2.9.1 as a component of openSUSE Leap 15.4 An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. CVE-2022-45059 SUSE Package Hub 15 SP4:libvarnishapi3-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-devel-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:libvarnishapi3-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-devel-7.2.1-bp154.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ https://www.suse.com/security/cve/CVE-2022-45059.html CVE-2022-45059 https://bugzilla.suse.com/1205243 SUSE Bug 1205243 An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected. CVE-2022-45060 SUSE Package Hub 15 SP4:libvarnishapi3-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-7.2.1-bp154.2.9.1 SUSE Package Hub 15 SP4:varnish-devel-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:libvarnishapi3-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-7.2.1-bp154.2.9.1 openSUSE Leap 15.4:varnish-devel-7.2.1-bp154.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/ https://www.suse.com/security/cve/CVE-2022-45060.html CVE-2022-45060 https://bugzilla.suse.com/1205242 SUSE Bug 1205242