Brief introduction CVE-2021-36740 Martin Blix Grydeland discovered that Varnish is vulnerable to request smuggling attacks if the HTTP/2 protocol is enabled. CVE-2022-23959 James Kettle discovered a request smuggling attack against the HTTP/1 protocol implementation in Varnish. For the oldstable distribution (buster), these problems have been fixed in version 6.1.1-1+deb10u3. For the stable distribution (bullseye), these problems have been fixed in version 6.5.1-1+deb11u2. We recommend that you upgrade your varnish packages. For the detailed security status of varnish please refer to its security tracker page at: https://security-tracker.debian.org/tracker/varnish
Brief introduction
Martin Blix Grydeland discovered that Varnish is vulnerable to request smuggling attacks if the HTTP/2 protocol is enabled.
James Kettle discovered a request smuggling attack against the HTTP/1 protocol implementation in Varnish.
For the oldstable distribution (buster), these problems have been fixed in version 6.1.1-1+deb10u3.
For the stable distribution (bullseye), these problems have been fixed in version 6.5.1-1+deb11u2.
We recommend that you upgrade your varnish packages.
For the detailed security status of varnish please refer to its security tracker page at: https://security-tracker.debian.org/tracker/varnish