Headline
RHSA-2022:4745: Red Hat Security Advisory: rh-varnish6-varnish security update
An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-23959: varnish: HTTP/1 request smuggling vulnerability
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-05-25
Updated:
2022-05-25
RHSA-2022:4745 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: rh-varnish6-varnish security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for rh-varnish6-varnish is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don’t have to create the same web page over and over again, giving the website a significant speed up.
Security Fix(es):
- varnish: HTTP/1 request smuggling vulnerability (CVE-2022-23959)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2045031 - CVE-2022-23959 varnish: HTTP/1 request smuggling vulnerability
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
rh-varnish6-varnish-6.0.8-2.el7.1.src.rpm
SHA-256: 1cc912e1cb7e00ec968979ee34b95bf91789410b3416be007dcc10cdfece5f37
x86_64
rh-varnish6-varnish-6.0.8-2.el7.1.x86_64.rpm
SHA-256: f11f9b90bc806a7f5a077ecf24beea863e55b928d07ff96facc1f650c15d47a3
rh-varnish6-varnish-devel-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 88528d7e05cb8ec9b719ce92a1446c4bec14582403369c254a701a9dd7026929
rh-varnish6-varnish-docs-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 7ba671085eea3ee932897014f3afafd572571a15a6bf4a5f196711c256587df7
rh-varnish6-varnish-libs-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 6689ac86816cdb8bdb20e04e4cb93ac360c3123a1db576c5ce005ded04c3ad5a
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
rh-varnish6-varnish-6.0.8-2.el7.1.src.rpm
SHA-256: 1cc912e1cb7e00ec968979ee34b95bf91789410b3416be007dcc10cdfece5f37
s390x
rh-varnish6-varnish-6.0.8-2.el7.1.s390x.rpm
SHA-256: 187941ec2751914f67fc3f6f48cfcd44e032f1e0277f5c677c797a5d0ee56e87
rh-varnish6-varnish-devel-6.0.8-2.el7.1.s390x.rpm
SHA-256: 15e8c60affa742bf8f0d5fcca4e7604db0ae9906cf80392046a789a5e5626f45
rh-varnish6-varnish-docs-6.0.8-2.el7.1.s390x.rpm
SHA-256: e5769c06a77c4f2f0918a2c6461d6d664f689893cf66ae768102e71234e9f283
rh-varnish6-varnish-libs-6.0.8-2.el7.1.s390x.rpm
SHA-256: 9d5321badc446f2ffe4679c3a0290b5c39995e273428f91ef6973717800dba90
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
rh-varnish6-varnish-6.0.8-2.el7.1.src.rpm
SHA-256: 1cc912e1cb7e00ec968979ee34b95bf91789410b3416be007dcc10cdfece5f37
ppc64le
rh-varnish6-varnish-6.0.8-2.el7.1.ppc64le.rpm
SHA-256: f2ba466a4f3e6381daefea1e45f31408fd3cab74345d545dbae3b5beb88a2804
rh-varnish6-varnish-devel-6.0.8-2.el7.1.ppc64le.rpm
SHA-256: 15deffa6fdcbeabec5eed5ba09faa4103f331b0a0c5e015c1190d79ea488ece6
rh-varnish6-varnish-docs-6.0.8-2.el7.1.ppc64le.rpm
SHA-256: 65445f814e9bd92178dc4826b5a1cf74ff30760e22b08d88a4c9452b3602e757
rh-varnish6-varnish-libs-6.0.8-2.el7.1.ppc64le.rpm
SHA-256: eb85f08c2dc4e584c6a93485ee4287fc1f781bbd8dfda62bb80a9b90d575e4ae
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
rh-varnish6-varnish-6.0.8-2.el7.1.src.rpm
SHA-256: 1cc912e1cb7e00ec968979ee34b95bf91789410b3416be007dcc10cdfece5f37
x86_64
rh-varnish6-varnish-6.0.8-2.el7.1.x86_64.rpm
SHA-256: f11f9b90bc806a7f5a077ecf24beea863e55b928d07ff96facc1f650c15d47a3
rh-varnish6-varnish-devel-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 88528d7e05cb8ec9b719ce92a1446c4bec14582403369c254a701a9dd7026929
rh-varnish6-varnish-docs-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 7ba671085eea3ee932897014f3afafd572571a15a6bf4a5f196711c256587df7
rh-varnish6-varnish-libs-6.0.8-2.el7.1.x86_64.rpm
SHA-256: 6689ac86816cdb8bdb20e04e4cb93ac360c3123a1db576c5ce005ded04c3ad5a
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.
Ubuntu Security Notice 5474-1 - It was dicovered that Varnish Cache did not clear a pointer between the handling of one client request and the next request within the same connection. A remote attacker could possibly use this issue to obtain sensitive information. It was discovered that Varnish Cache could have an assertion failure when a TLS termination proxy uses PROXY version 2. A remote attacker could possibly use this issue to restart the daemon and cause a performance loss.
Red Hat Security Advisory 2022-4745-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.