An assert can be triggered in Varnish Cache when using Varnish with a TLS termination proxy, and the proxy and Varnish use the PROXY version 2. The assert will cause Varnish to restart, and the cache will be empty after the restart. Upstream Reference: https://varnish-cache.org/security/VSV00005.html#vsv00005
Created varnish tracking bugs for this issue: Affects: epel-all [bug 1813870] Affects: fedora-all [bug 1813869]
This was fixed in fedora 32 on 2020-02-10. Unfortunately, I forgot to make updates for f31 and f30. I have generated FEDORA-2020-872ec29251 (f30) and FEDORA-2020-71ca06dd55 (f31) now. Please test and leave karma. https://bodhi.fedoraproject.org/updates/FEDORA-2020-872ec29251 https://bodhi.fedoraproject.org/updates/FEDORA-2020-71ca06dd55 Ingvar
Ingvar, thanks for pushing updates. FYI - the state for the "Security Response" vulnerability tracker bugs should be left to be managed by the security team.
Upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62
External References: https://varnish-cache.org/security/VSV00005.html#vsv00005
Mitigation: An user can mitigate the problem by setting the proxy protocol to version 1 on the TLS Proxy side, as this flaw only affects the proxy protocol version 2.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11653
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4756 https://access.redhat.com/errata/RHSA-2020:4756