Source: varnish Version: 7.1.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 6.5.1-1+deb11u2 Control: found -1 6.5.1-1
Hi, The following vulnerability was published for varnish. CVE-2022-45060[0]: | An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and | 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An | attacker may introduce characters through HTTP/2 pseudo-headers that | are invalid in the context of an HTTP/1 request line, causing the | Varnish server to produce invalid HTTP/1 requests to the backend. This | could, in turn, be used to exploit vulnerabilities in a server behind | the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is | affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-45060 https://www.cve.org/CVERecord?id=CVE-2022-45060 [1] https://varnish-cache.org/security/VSV00011.html [2] https://github.com/varnishcache/varnish-cache/commit/515a93df894430767073ccd8265497b6b25b54b5 Regards, Salvatore
