Bug 1195188 (CVE-2022-23959)

Summary: VUL-0: CVE-2022-23959: varnish: request smuggling can occur for HTTP/1 connections
Product: [openSUSE] openSUSE Tumbleweed Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/321744/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-01-27 09:22:37 UTC
CVE-2022-23959

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before
6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x
before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
http://www.cvedetails.com/cve/CVE-2022-23959/
https://varnish-cache.org/security/VSV00008.html
https://docs.varnish-software.com/security/VSV00008/
Comment 1 Carlos López 2022-01-27 09:23:46 UTC
Affected:
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4
 - openSUSE:Factory
Comment 2 Jan Engelhardt 2022-05-16 20:38:35 UTC
977603 977602
Comment 3 OBSbugzilla Bot 2022-05-16 22:40:23 UTC
This is an autogenerated message for OBS integration:
This bug (1195188) was mentioned in
https://build.opensuse.org/request/show/977601 Factory / varnish
https://build.opensuse.org/request/show/977602 Backports:SLE-15-SP3 / varnish
https://build.opensuse.org/request/show/977603 Backports:SLE-15-SP4 / varnish
Comment 4 Swamp Workflow Management 2022-05-27 10:22:34 UTC
openSUSE-SU-2022:0148-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1181400,1188470,1195188
CVE References: CVE-2021-36740,CVE-2022-23959
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    varnish-7.1.0-bp153.2.3.1
Comment 5 Swamp Workflow Management 2022-06-15 19:14:58 UTC
openSUSE-SU-2022:0144-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194469,1195188
CVE References: CVE-2021-4122,CVE-2022-23959
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    cryptsetup-2.3.7-150300.3.5.1
openSUSE Backports SLE-15-SP4 (src):    varnish-7.1.0-bp154.2.3.1