Lucene search

Gentoo FoundationMGASA-2021-0387

HistoryJul 28, 2021 - 11:00 p.m.

Updated varnish packages fix a security vulnerability

2021-07-2823:00:51

Gentoo Foundation

advisories.mageia.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.005 Low

EPSS

Percentile

75.5%

JSON

Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8 (CVE-2021-36740).

OSVersionArchitecturePackageVersionFilename
Mageia8noarchvarnish< 6.5.1-1.1varnish-6.5.1-1.1.mga8

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	varnish	< 6.5.1-1.1	varnish-6.5.1-1.1.mga8

References

bugs.mageia.org/show_bug.cgi?id=29290

lists.fedoraproject.org/archives/list/[email protected]/thread/THV2DQA2GS65HUCKK4KSD2XLN3AAQ2V5/

varnish-cache.org/security/VSV00007.html

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.005 Low

EPSS

Percentile

75.5%

JSON

Related for MGASA-2021-0387