Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Apr 2016 08:05:30 +0000 (UTC)
From: Sébastien Delafond <seb@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Varnish 3 before 3.0.7 was vulnerable to HTTP
 Smuggling issues: Double Content Length and bad EOL

On 2016-04-16, Régis Leroy wrote:
> Varnish 4.x serie is not impacted. Flaws Fixed in version 3.0.7 in march 2015.
>
> Changelog is:
>  * Requests with multiple Content-Length headers will now fail.
>  * Stop recognizing a single CR (r) as a HTTP line separator. This
> opened up a possible cache poisoning attack in stacked installations
> where sslterminator/varnish/backend had different CR handling.
>
> https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c
> https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3
>
> Combinations of theses two flaws in HTTP protocol handling allows for
> "HTTP Response Splitting" attacks
> when another actor in front of Varnish3 can transmit headers in this
> form (for example):
>
>     Dummy: header\rContent-Length: 0\r\n
>
> This is a one year old issue, on the old last release of this serie.
> But we still find some installations. A CVE would maybe help removal
> of 3.x installations, or at least upgrades to 3.0.7.

Hi Mitre,

the Debian Security team considers the issue serious enough to release
a DSA, so we'd also appreciate if this could be assigned a CVE.

Cheers,

--Seb

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ