Hide Forgot
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.
Created varnish tracking bugs for this issue: Affects: epel-7 [bug 2141848] Affects: fedora-all [bug 2141847]
Public upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/687ffb6452ba570778a83b6eb1df8ac1b31d9221
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8643 https://access.redhat.com/errata/RHSA-2022:8643
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8644 https://access.redhat.com/errata/RHSA-2022:8644
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8645 https://access.redhat.com/errata/RHSA-2022:8645
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8646 https://access.redhat.com/errata/RHSA-2022:8646
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:8647 https://access.redhat.com/errata/RHSA-2022:8647
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:8649 https://access.redhat.com/errata/RHSA-2022:8649
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8650 https://access.redhat.com/errata/RHSA-2022:8650