1328361 – (CVE-2015-8852) CVE-2015-8852 varnish: http smuggling issues

Bug 1328361 (CVE-2015-8852) - CVE-2015-8852 varnish: http smuggling issues

Summary: CVE-2015-8852 varnish: http smuggling issues

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-8852
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1328362 1328363
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-19 08:17 UTC by Andrej Nemec
Modified:	2019-09-29 13:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:	varnish 3.0.7
Clone Of:
Environment:
Last Closed:	2016-12-12 13:15:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2016-04-19 08:17:12 UTC

An old flaw found in Varnish 3 before 3.0.7 It combines two flaws in HTTP protocol handling which allow for HTTP Response Splitting attacks.

Upstream fix:

https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c
https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3

References:

http://seclists.org/oss-sec/2016/q2/81

Comment 1 Andrej Nemec 2016-04-19 08:17:55 UTC

Created varnish tracking bugs for this issue:

Affects: epel-5 [bug 1328362]
Affects: epel-6 [bug 1328363]

Note You need to log in before you can comment on or make changes to this bug.