Debian Bug report logs -
#783510
varnish: CVE-2015-8852: HTTP Smuggling issues: Double Content Length and bad EOL
Reported by: Régis Leroy <regis.leroy@makina-corpus.com>
Date: Mon, 27 Apr 2015 16:24:01 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in versions varnish/3.0.5-1, varnish/3.0.2-1, varnish/3.0.2-2+deb7u1
Fixed in versions varnish/4.0.0-1, varnish/3.0.2-2+deb7u2
Done: Sebastien Delafond <seb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#783510; Package varnish.
(Mon, 27 Apr 2015 16:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Régis Leroy <regis.leroy@makina-corpus.com>:
New Bug report received and forwarded. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>.
(Mon, 27 Apr 2015 16:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: varnish
Version: 3.0.2-2+deb7u1
On oldstable varnish v3 is still used.
Two security fix have been made on this old version (nothing to do for
V4 used on stable)
They were added in 3.0.7:
- Stop recognizing a single CR (r) as a HTTP line separator.
This opened up a possible cache poisioning attack in stacked
installations where
sslterminator/varnish/backend had different CR handling
- Requests with multiple Content-Length headers will now fail
Patchs are here:
*
https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c
*
https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3
I'd like to get theses patchs on the oldstable varnish package.
--
Added tag(s) fixed-upstream, security, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 23 Mar 2016 15:27:12 GMT) (full text, mbox, link).
Marked as fixed in versions varnish/4.0.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 18 Apr 2016 14:18:06 GMT) (full text, mbox, link).
Marked as found in versions varnish/3.0.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 18 Apr 2016 14:30:08 GMT) (full text, mbox, link).
Changed Bug title to 'varnish: CVE-2015-8852: HTTP Smuggling issues: Double Content Length and bad EOL' from 'varnish, backport upstream varnish4 http smuggling fix'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 18 Apr 2016 16:15:07 GMT) (full text, mbox, link).
Marked as found in versions varnish/3.0.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Apr 2016 16:18:03 GMT) (full text, mbox, link).
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Fri, 22 Apr 2016 21:57:12 GMT) (full text, mbox, link).
Notification sent
to Régis Leroy <regis.leroy@makina-corpus.com>:
Bug acknowledged by developer.
(Fri, 22 Apr 2016 21:57:12 GMT) (full text, mbox, link).
Message #20 received at 783510-close@bugs.debian.org (full text, mbox, reply):
Source: varnish
Source-Version: 3.0.2-2+deb7u2
We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 783510@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated varnish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 20 Apr 2016 14:29:05 +0200
Source: varnish
Binary: varnish varnish-doc libvarnishapi1 libvarnishapi-dev varnish-dbg
Architecture: source amd64 all
Version: 3.0.2-2+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
libvarnishapi-dev - development files for Varnish
libvarnishapi1 - shared libraries for Varnish
varnish - state of the art, high-performance web accelerator
varnish-dbg - debugging symbols for varnish
varnish-doc - documentation for Varnish Cache
Closes: 783510
Changes:
varnish (3.0.2-2+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix HTTP Smuggling issues (CVE-2015-8852, Closes: #783510)
Checksums-Sha1:
7a568f012f80f7f01ee8e43349668a8a5d57095b 1986 varnish_3.0.2-2+deb7u2.dsc
98f389a90c57428c65d0ac0bc0832b6752a66466 19167 varnish_3.0.2-2+deb7u2.debian.tar.gz
93ada49947dbbc38f5debbbb1a5f7b6894ddf794 532188 varnish_3.0.2-2+deb7u2_amd64.deb
f77f6fa2cedfbbd96a936790353e21bf98e96cd7 275790 varnish-doc_3.0.2-2+deb7u2_all.deb
c22797f15793462aa305f62c3d03e6c7cde32703 41190 libvarnishapi1_3.0.2-2+deb7u2_amd64.deb
a5ee1c22074d10a84c86a2801b97bfdd58106fb7 18202 libvarnishapi-dev_3.0.2-2+deb7u2_amd64.deb
0fd19b6f2e66a41c1a5e16eee05b83fd2303c4be 1174494 varnish-dbg_3.0.2-2+deb7u2_amd64.deb
Checksums-Sha256:
caf92bfd1565cc94313337a2ef14938d45aae1eda87a253303ff2acc0208f30a 1986 varnish_3.0.2-2+deb7u2.dsc
babb5787a4db75f308368c42945b1ecb09495c6f52903d724926e70b1601c4b6 19167 varnish_3.0.2-2+deb7u2.debian.tar.gz
1f5f987230698ce18e32d0ac7a084bf1071d48d584bd0c750f0478993e10ac3a 532188 varnish_3.0.2-2+deb7u2_amd64.deb
88a217763b285f72b84779a47c4e680cd489002a5b493713ca019b52d18c3d6b 275790 varnish-doc_3.0.2-2+deb7u2_all.deb
70ef3e6d4a0258734b98e14c05dded92251a40b542d6db865ab3beedad0faa0c 41190 libvarnishapi1_3.0.2-2+deb7u2_amd64.deb
83d9430b498f7cdca20617ba673f28c69a5f20bfda8c34e8cb82a6111d98bd9f 18202 libvarnishapi-dev_3.0.2-2+deb7u2_amd64.deb
23a98724e45790990ca6add9e7162b67cdd9dbaf117c9f324356c1282ba023dc 1174494 varnish-dbg_3.0.2-2+deb7u2_amd64.deb
Files:
67ba14f21e8fe11cbd1b623b3688f874 1986 web optional varnish_3.0.2-2+deb7u2.dsc
70c2cbf6692a536cc6ff50b25436614a 19167 web optional varnish_3.0.2-2+deb7u2.debian.tar.gz
600e69353ab926d3feb69e23f61e1c3d 532188 web optional varnish_3.0.2-2+deb7u2_amd64.deb
1e9a44f8f61d2fc25cf492d0031ace96 275790 doc optional varnish-doc_3.0.2-2+deb7u2_all.deb
e62d27dd91e8eddf55564b63c5605051 41190 libs optional libvarnishapi1_3.0.2-2+deb7u2_amd64.deb
5bb7b70dc187f8d43fe2c3d1136967bf 18202 libdevel optional libvarnishapi-dev_3.0.2-2+deb7u2_amd64.deb
92ea9915189082b6bf989796f6b7cfc6 1174494 debug extra varnish-dbg_3.0.2-2+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJXF3miAAoJEBC+iYPz1Z1kwcwIAL4gDYTZ6a49cpvgLK+gjjzy
Ii8dJMb+Q8gFfcPu4rkdG+HQB5GccpZ0Drj48/K4ufvqcceN/G/wpixsPVkoGIEv
swvIBazOG0z9bOI1qQmz7iA76hB3J1C8bm36f4Q+WhXIFaJ6jZiQuYoyRfaBfGb9
g/PXl1uzhLDOtevLRz74Ud9ImKJT0J5t7UvLzSn8Len8u+Gfcpo6xZ3dTlAHNgIx
7uy2kJZkoiHF6qptdJrwoSpAusN+v03CB98KvWAoNDQPDjHNppT9NrLRAl/P+w91
CNx3PYsna32bEL+hFRnheseYTYEI/hGRHeioift3o5sll2SxQQuXPORKu8kOHBw=
=ko78
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 21 May 2016 07:26:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon