Bug 579536
| Summary: | CVE-2009-2936 Varnish reverse proxy flaw [fedora-all] | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> | ||||
| Component: | varnish | Assignee: | Ingvar Hagelund <ingvar> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 13 | CC: | ingvar | ||||
| Target Milestone: | --- | Keywords: | Security, SecurityTracking | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Release Note | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-06-27 15:25:04 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 579533 | ||||||
| Attachments: |
|
||||||
|
Description
Josh Bressers
2010-04-05 18:53:49 UTC
The varnish upstream team disputes this security report, though I have learned that there is a kindo fix for debian more or less available. I'll check that tomorrow. I feel that this is a bit far fetched, though. If a varnish instance is put into production without firewalling away the command port, he/she has not enough knowledge about varnish in the first place. The documentation could be more explicit about this, perhaps. Ingvar Hi Ingvar, I saw that upstream says this isn't a flaw. As I'm certainly no expert, I figured I'd file a varnish bug and you (someone who knows more than me) make the call. I'll support your decision if you want to call this not a flaw. Thanks. For the unstable release (rawhide/f14), I'll upgrade to varnish-2.1 that takes care of this problem upstream, see below. I'm unsure if it's still time to add varnish-2.1 to the upcoming f13 release. For the stable releases (f11, f12, epel4, epel5), I plan to issue an update with the command line port disabled by default, some info about securing the port in the config file comments, and add a line or to in the README.redhat, and in %changelog. There is not much more to do about this. Existing users will get a /etc/sysconfig/varnish.rpmnew, and should read the changelog. New users will get a system that is "more secure", at least in the eyes of the original reporter of the "bug". The "fix" in Debian (config that enables password protection to the admin port) is only available for the new 2.1 release, and not the existing 2.0 that is in Fedora. I'll either add a similar configuration when I package 2.1 to fedora, or I'll just disable the port. Ingvar Created attachment 405102 [details] varnish-2.1-libm.patch If you take http://users.linpro.no/ingvar/varnish/2.1/varnish-2.1.0-1.fc12.src.rpm and try to rebuild it on Fedora 13+, it will poorly fail with: /usr/bin/ld: vtc.o: undefined reference to symbol 'floor@@GLIBC_2.2.5' /usr/bin/ld: note: 'floor@@GLIBC_2.2.5' is defined in DSO /lib64/libm.so.6 so try adding it to the linker command line If you remove your current "varnish.floor.patch" (patch1) and use my patch here instead, things will work fine. You of course have to run automake to get the changes applied to the Makefile.in. Please ensure, that this patch gets included into the next upstream release of varnish. Thank you. varnish-2.1.0-2 is in rawhide. The 2.1 series has support for an -S option, password protecting the admin telnet interface, thus fixing CVE-2009-2936 in rawhide. varnish-2.1.0-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/varnish-2.1.0-2.fc13 This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. This was fixed in the fedora version from version 2.1 and up. |