Bug 1813867 (CVE-2020-11653)
Summary: | CVE-2020-11653 varnish: remote clients may cause Varnish to assert and restart which could result in DoS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | hhorak, ingvar, jorton, luhliari |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | varnish 6.2.3, varnish 6.3.2 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:24:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1813869, 1813870, 1819936, 1819937, 1820205 | ||
Bug Blocks: | 1813873 |
Description
Michael Kaplan
2020-03-16 10:45:20 UTC
Created varnish tracking bugs for this issue: Affects: epel-all [bug 1813870] Affects: fedora-all [bug 1813869] This was fixed in fedora 32 on 2020-02-10. Unfortunately, I forgot to make updates for f31 and f30. I have generated FEDORA-2020-872ec29251 (f30) and FEDORA-2020-71ca06dd55 (f31) now. Please test and leave karma. https://bodhi.fedoraproject.org/updates/FEDORA-2020-872ec29251 https://bodhi.fedoraproject.org/updates/FEDORA-2020-71ca06dd55 Ingvar Ingvar, thanks for pushing updates. FYI - the state for the "Security Response" vulnerability tracker bugs should be left to be managed by the security team. Upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62 External References: https://varnish-cache.org/security/VSV00005.html#vsv00005 Mitigation: An user can mitigate the problem by setting the proxy protocol to version 1 on the TLS Proxy side, as this flaw only affects the proxy protocol version 2. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11653 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4756 https://access.redhat.com/errata/RHSA-2020:4756 |