Ubuntu
varnish package

Please provide update for CVE-2021-36740 (VSV00007 Varnish HTTP/2 Request Smuggling Attack)

Bug #1939281 reported by Lienhart Woitok
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
varnish (Ubuntu)
Fix Released
Undecided
Luís Infante da Câmara

Bug Description

Greetings,

I'm unsure whether I should flag this as security vulnerability or not, as the information is already out there anyway. Apologies if I misflagged, but I prefer to be rather safe than sorry.

Varnish Cache published a security update for CVE-2021-36740 a couple weeks ago: https://varnish-cache.org/security/VSV00007.html

The packages in ubuntu have not been updated since, therefore I expect them to still be vulnerable to this attack.

Can you please provide updated packages fixing this vulnerability?

Thank you!

Best,
Lienhart

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
Changed in varnish (Ubuntu):
status: New → Confirmed
Luís Infante da Câmara (luis220413)
Changed in varnish (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

When reporting a public security vulnerability, check the box "This bug is a security vulnerability" and, when your report is complete, change the information type ("This report contains ... information") to Public Security.

Only Focal is vulnerable to CVE-2021-36740.

Patches for all Varnish CVEs in Ubuntu will be added tomorrow to bug #1971504.

Luís Infante da Câmara (luis220413)
Changed in varnish (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 6.2.1-2ubuntu0.1

---------------
varnish (6.2.1-2ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Sensitive Information Disclosure
    - debian/patches/CVE-2019-20637.patch: Clear err_code and err_reason at
      start of request handling. (LP: #1971504, LP: #1939281)
      CVE-2019-20637
  * SECURITY UPDATE: Assertion failure
    - debian/patches/CVE-2020-11653.patch: Take sizeof pool_task into account
      when reserving WS in SES_Wait. (LP: #1971504, LP: #1939281)
      CVE-2020-11653
  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2021-36740.patch: Take content length into
      account on H/2 request bodies. (LP: #1971504, LP: #1939281)
    - debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
      to ignore req body. (LP: #1971504, LP: #1939281)
      CVE-2021-36740
      CVE-2022-23959
  * Additions fixes
    - debian/patches/WS_ReserveAll.patch: Add WS_ReserveAll to replace
      WS_Reserve(ws, 0).
    - debian/patches/WS_ReserveSize.patch: Deprecate WS_Reserve() and replace
      it with WS_ReserveSize().

 -- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 21:16:37 +0100

Changed in varnish (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.