[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

[Launchpad Bug Tracker]

This bug was fixed in the package varnish - 3.0.5-2ubuntu0.1

---
varnish (3.0.5-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: HTTP Smuggling issues: Double Content Length and bad EOL
(LP: #1709153).
- fix-HTTP-Smuggling-CVE-2015-8852.patch
- CVE-2015-8852
  * SECURITY UPDATE: Correctly handle bogusly large chunk sizes
(LP: #1709153).
- Correctly-handle-bogusly-large-chunk-sizes-CVE-2017-12425.patch
- CVE-2017-12425

 -- Simon Quigley   Mon, 07 Aug 2017 13:57:07 -0500

** Changed in: varnish (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153

Title:
  [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

[Simon Quigley]

** Changed in: varnish (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153

Title:
  [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

[Seth Arnold]

Packages are building in the security-proposed ppa https://launchpad.net
/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153

Title:
  [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

[Simon Quigley]

Here's a debdiff adding a patch for CVE-2017-12425 for Trusty applicable
to 3.0.5-2.

** Patch added: "2-3.0.5-2ubuntu0.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+attachment/4928851/+files/2-3.0.5-2ubuntu0.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153

Title:
  [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

[Seth Arnold]

Note that trusty's varnish is also vulnerable to CVE-2017-12425. Could
you work that into the patch too? (Note fetch_number() from
trusty/varnish-3.0.5/bin/varnishd/cache_fetch.c )

Thanks

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12425

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1709153

Title:
  [CVE] HTTP Smuggling issues: Double Content Length and bad EOL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs