Bug 1195188 - (CVE-2022-23959) VUL-0: CVE-2022-23959: varnish: request smuggling can occur for HTTP/1 connections
(CVE-2022-23959)
VUL-0: CVE-2022-23959: varnish: request smuggling can occur for HTTP/1 connec...
Status: NEW
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/321744/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-27 09:22 UTC by Carlos López
Modified: 2022-06-15 19:14 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-01-27 09:22:37 UTC
CVE-2022-23959

In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before
6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x
before 6.0.9r4, request smuggling can occur for HTTP/1 connections.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
http://www.cvedetails.com/cve/CVE-2022-23959/
https://varnish-cache.org/security/VSV00008.html
https://docs.varnish-software.com/security/VSV00008/
Comment 1 Carlos López 2022-01-27 09:23:46 UTC
Affected:
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4
 - openSUSE:Factory
Comment 2 Jan Engelhardt 2022-05-16 20:38:35 UTC
977603 977602
Comment 3 OBSbugzilla Bot 2022-05-16 22:40:23 UTC
This is an autogenerated message for OBS integration:
This bug (1195188) was mentioned in
https://build.opensuse.org/request/show/977601 Factory / varnish
https://build.opensuse.org/request/show/977602 Backports:SLE-15-SP3 / varnish
https://build.opensuse.org/request/show/977603 Backports:SLE-15-SP4 / varnish
Comment 4 Swamp Workflow Management 2022-05-27 10:22:34 UTC
openSUSE-SU-2022:0148-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1181400,1188470,1195188
CVE References: CVE-2021-36740,CVE-2022-23959
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    varnish-7.1.0-bp153.2.3.1
Comment 5 Swamp Workflow Management 2022-06-15 19:14:58 UTC
openSUSE-SU-2022:0144-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194469,1195188
CVE References: CVE-2021-4122,CVE-2022-23959
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    cryptsetup-2.3.7-150300.3.5.1
openSUSE Backports SLE-15-SP4 (src):    varnish-7.1.0-bp154.2.3.1