Date: Mon, 18 Apr 2016 08:05:30 +0000 (UTC) From: Sébastien Delafond <seb@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL On 2016-04-16, Régis Leroy wrote: > Varnish 4.x serie is not impacted. Flaws Fixed in version 3.0.7 in march 2015. > > Changelog is: > * Requests with multiple Content-Length headers will now fail. > * Stop recognizing a single CR (r) as a HTTP line separator. This > opened up a possible cache poisoning attack in stacked installations > where sslterminator/varnish/backend had different CR handling. > > https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c > https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3 > > Combinations of theses two flaws in HTTP protocol handling allows for > "HTTP Response Splitting" attacks > when another actor in front of Varnish3 can transmit headers in this > form (for example): > > Dummy: header\rContent-Length: 0\r\n > > This is a one year old issue, on the old last release of this serie. > But we still find some installations. A CVE would maybe help removal > of 3.x installations, or at least upgrades to 3.0.7. Hi Mitre, the Debian Security team considers the issue serious enough to release a DSA, so we'd also appreciate if this could be assigned a CVE. Cheers, --Seb
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ