Описание
Security update for varnish
This update for varnish fixes the following issues:
Security issue fixed:
- CVE-2019-15892: Fixed a potential denial of service by sending crafted HTTP/1 requests (boo#1149382).
Non-security issues fixed:
- Updated the package to release 6.2.1.
- Added a thread pool watchdog which will restart the worker process if scheduling tasks onto worker threads appears stuck. The new parameter 'thread_pool_watchdog' configures it.
- Disabled error for clobbering, which caused bogus error in varnishtest.
Список пакетов
openSUSE Leap 15.0
libvarnishapi2-6.2.1-lp151.3.3.1
varnish-6.2.1-lp151.3.3.1
varnish-devel-6.2.1-lp151.3.3.1
openSUSE Leap 15.1
libvarnishapi2-6.2.1-lp151.3.3.1
varnish-6.2.1-lp151.3.3.1
varnish-devel-6.2.1-lp151.3.3.1
Ссылки
- E-Mail link for openSUSE-SU-2019:2184-1
- SUSE Security Ratings
- SUSE Bug 1149382
- SUSE CVE CVE-2019-15892 page
Описание
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
Затронутые продукты
openSUSE Leap 15.0:libvarnishapi2-6.2.1-lp151.3.3.1
openSUSE Leap 15.0:varnish-6.2.1-lp151.3.3.1
openSUSE Leap 15.0:varnish-devel-6.2.1-lp151.3.3.1
openSUSE Leap 15.1:libvarnishapi2-6.2.1-lp151.3.3.1
Ссылки
- CVE-2019-15892
- SUSE Bug 1149382