Bugzilla – Bug 976097
VUL-0: CVE-2015-8852: varnish: Vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL
Last modified: 2016-05-17 13:17:11 UTC
CVE-2015-8852 Flaw was fixed in version 3.0.7, so only openSUSE 13.2 is affected On 2016-04-16, Régis Leroy wrote: Changelog is: * Requests with multiple Content-Length headers will now fail. * Stop recognizing a single CR (r) as a HTTP line separator. This opened up a possible cache poisoning attack in stacked installations where sslterminator/varnish/backend had different CR handling. https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3 Combinations of theses two flaws in HTTP protocol handling allows for "HTTP Response Splitting" attacks when another actor in front of Varnish3 can transmit headers in this form (for example): Dummy: header\rContent-Length: 0\r\n References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8852 http://seclists.org/oss-sec/2016/q2/95
bugbot adjusting priority
varnish4 requires configuration file changes, so it unfortunately is not fixable by just `zypper up`. Given EOL, what's a suitable approach?
(In reply to Jan Engelhardt from comment #2) 13.2 will still be supported for a while, so I would go for backporting the changes if that is possible (the patches look straightforward).
This is an autogenerated message for OBS integration: This bug (976097) was mentioned in https://build.opensuse.org/request/show/391954 13.2 / varnish
released
openSUSE-SU-2016:1316-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 976097 CVE References: CVE-2015-8852 Sources used: openSUSE 13.2 (src): varnish-3.0.7-2.3.1