Advisories » MGASA-2022-0434

Updated varnish packages fix security vulnerability

Publication date: 18 Nov 2022
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-45060

Description

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x
before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may
introduce characters through HTTP/2 pseudo-headers that are invalid in the
context of an HTTP/1 request line, causing the Varnish server to produce
invalid HTTP/1 requests to the backend. This could, in turn, be used to
exploit vulnerabilities in a server behind the Varnish server.
(CVE-2022-45060)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=31121
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FJFEBVAZE52U2TMYLTOEW3F7YGVD7XQL/
• https://docs.varnish-software.com/security/VSV00011/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45060

SRPMS

8/core

• varnish-6.5.1-1.3.mga8