Package "libvarnishapi2"
Name: |
libvarnishapi2
|
Description: |
shared libraries for Varnish
|
Latest version: |
6.2.1-2ubuntu0.2 |
Release: |
focal (20.04) |
Level: |
security |
Repository: |
universe |
Head package: |
varnish |
Homepage: |
https://www.varnish-cache.org/ |
Links
Download "libvarnishapi2"
Other versions of "libvarnishapi2" in Focal
Changelog
varnish (6.2.1-2ubuntu0.2) focal-security; urgency=medium
* SECURITY REGRESSION: Incomplete fix for CVE-2020-11653 (LP: #1986627)
- debian/patches/WS_ReserveAll.patch: Rename to CVE-2020-11653-01.patch.
- debian/patches/WS_ReserveSize.patch: Rename to CVE-2020-11653-02.patch.
- debian/patches/CVE-2020-11653-03.patch: Add a facility to test
WS_ReserveSize().
- debian/patches/CVE-2020-11653-04.patch: Correct the overflow condition in
WS_ReserveSize().
- debian/patches/CVE-2020-11653-05.patch: Fix copy-pasted test description.
- debian/patches/CVE-2020-11653-06.patch: Add Session Attribute workspace
overflow handling.
- debian/patches/CVE-2020-11653-07.patch: Simplify WS allocation in
tlv_string.
- debian/patches/CVE-2020-11653-08.patch: Try to make the proxy code session
workspace overflow test on 32-bit platforms.
- debian/patches/CVE-2020-11653-09.patch: Adjust the workspace session size
for 32-bit vtest machines.
- debian/patches/CVE-2020-11653-10.patch: Handle out of session workspace in
http1_new_session().
- debian/patches/CVE-2020-11653-11.patch: Remove extra call to
SES_Reserve_proto_priv().
- debian/patches/CVE-2020-11653-12.patch: Remove call to
SES_Reserve_proto_priv() in h2_init_sess().
- debian/patches/CVE-2020-11653-13.patch: Handle badly formatted proxy TLVs.
- debian/patches/CVE-2020-11653-14.patch: Add a missing assertion to
WS_ReserveAll().
- debian/patches/CVE-2020-11653-15.patch: Fix WS_ReserveSize calls when
bytes is equal to free workspace.
- debian/patches/CVE-2020-11653.patch: Rename to CVE-2020-11653-16.patch.
-- Luís Infante da Câmara <email address hidden> Tue, 16 Aug 2022 17:57:53 +0100
|
Source diff to previous version |
1986627 |
Incomplete fix for CVE-2020-11653 |
CVE-2020-11653 |
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a |
|
varnish (6.2.1-2ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Sensitive Information Disclosure
- debian/patches/CVE-2019-20637.patch: Clear err_code and err_reason at
start of request handling. (LP: #1971504, LP: #1939281)
CVE-2019-20637
* SECURITY UPDATE: Assertion failure
- debian/patches/CVE-2020-11653.patch: Take sizeof pool_task into account
when reserving WS in SES_Wait. (LP: #1971504, LP: #1939281)
CVE-2020-11653
* SECURITY UPDATE: HTTP Request Smuggling
- debian/patches/CVE-2021-36740.patch: Take content length into
account on H/2 request bodies. (LP: #1971504, LP: #1939281)
- debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
to ignore req body. (LP: #1971504, LP: #1939281)
CVE-2021-36740
CVE-2022-23959
* Additions fixes
- debian/patches/WS_ReserveAll.patch: Add WS_ReserveAll to replace
WS_Reserve(ws, 0).
- debian/patches/WS_ReserveSize.patch: Deprecate WS_Reserve() and replace
it with WS_ReserveSize().
-- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 21:16:37 +0100
|
1971504 |
Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic |
1939281 |
Please provide update for CVE-2021-36740 (VSV00007 Varnish HTTP/2 Request Smuggling Attack) |
CVE-2019-20637 |
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between |
CVE-2020-11653 |
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a |
CVE-2021-36740 |
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This |
CVE-2022-23959 |
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r |
|
About
-
Send Feedback to @ubuntu_updates