Описание
Security update for varnish
This update for varnish fixes the following issues:
Update to 7.2.1:
- CVE-2022-45059: Fixed a HTTP request smuggling via hop-by-hop headers (boo#1205243).
- CVE-2022-45060: Fixed a HTTP request forgery via character injection through HTTP/2 pseudo-headers (boo#1205242).
Список пакетов
SUSE Package Hub 15 SP4
openSUSE Leap 15.4
Ссылки
- E-Mail link for openSUSE-SU-2022:10198-1
- SUSE Security Ratings
- SUSE Bug 1205242
- SUSE Bug 1205243
- SUSE CVE CVE-2022-45059 page
- SUSE CVE CVE-2022-45060 page
Описание
An issue was discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend.
Затронутые продукты
Ссылки
- CVE-2022-45059
- SUSE Bug 1205243
Описание
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
Затронутые продукты
Ссылки
- CVE-2022-45060
- SUSE Bug 1205242