New upstream release: A security release. This release includes fix for CVE-2022-45059 (VSV00011) and CVE-2022-45060 (VSV00010). From the upstream release notes:
VSV00010 Varnish Request Smuggling Vulnerability
Date: 2022-11-08
A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.
VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
Date: 2022-11-08
A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2022-0d5dcc031ePlease login to add feedback.
This update's test gating status has been changed to 'waiting'.
ingvar edited this update.
This update's test gating status has been changed to 'ignored'.
This update has been submitted for testing by bodhi.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.