Ubuntu
varnish package

[CVE] HTTP Smuggling issues: Double Content Length and bad EOL

Bug #1709153 reported by Simon Quigley on 2017-08-07

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	varnish (Ubuntu)	Fix Released	Undecided	Unassigned
	Trusty	Fix Released	Undecided	Simon Quigley

Bug Description

Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.

This is tracked in CVE-2015-8852.

CVE References

Simon Quigley (tsimonq2) on 2017-08-07

information type:	Public → Public Security
Changed in varnish (Ubuntu):
status:	New → Fix Released
Changed in varnish (Ubuntu Trusty):
status:	New → In Progress
assignee:	nobody → Simon Quigley (tsimonq2)
summary:	- HTTP Smuggling issues: Double Content Length and bad EOL + [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-07:

#1

1-3.0.5-2ubuntu0.1.debdiff Edit (7.9 KiB, text/plain)

Attached is a debdiff for Trusty applicable to 3.0.5-2.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-08-08:

#2

Note that trusty's varnish is also vulnerable to CVE-2017-12425. Could you work that into the patch too? (Note fetch_number() from trusty/varnish-3.0.5/bin/varnishd/cache_fetch.c )

Thanks

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-08:

#3

2-3.0.5-2ubuntu0.1.debdiff Edit (10.3 KiB, text/plain)

Here's a debdiff adding a patch for CVE-2017-12425 for Trusty applicable to 3.0.5-2.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-08-10:

#4

Packages are building in the security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test.

Thanks

Simon Quigley (tsimonq2) on 2017-08-22

Changed in varnish (Ubuntu Trusty):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-08-22:

#5

This bug was fixed in the package varnish - 3.0.5-2ubuntu0.1

---------------
varnish (3.0.5-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: HTTP Smuggling issues: Double Content Length and bad EOL
    (LP: #1709153).
    - fix-HTTP-Smuggling-CVE-2015-8852.patch
    - CVE-2015-8852
  * SECURITY UPDATE: Correctly handle bogusly large chunk sizes
    (LP: #1709153).
    - Correctly-handle-bogusly-large-chunk-sizes-CVE-2017-12425.patch
    - CVE-2017-12425

-- Simon Quigley <email address hidden> Mon, 07 Aug 2017 13:57:07 -0500

Changed in varnish (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.