[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL
This bug was fixed in the package varnish - 3.0.5-2ubuntu0.1 --- varnish (3.0.5-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: HTTP Smuggling issues: Double Content Length and bad EOL (LP: #1709153). - fix-HTTP-Smuggling-CVE-2015-8852.patch - CVE-2015-8852 * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1709153). - Correctly-handle-bogusly-large-chunk-sizes-CVE-2017-12425.patch - CVE-2017-12425 -- Simon Quigley Mon, 07 Aug 2017 13:57:07 -0500 ** Changed in: varnish (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709153 Title: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL
** Changed in: varnish (Ubuntu Trusty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709153 Title: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL
Packages are building in the security-proposed ppa https://launchpad.net /~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709153 Title: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL
Here's a debdiff adding a patch for CVE-2017-12425 for Trusty applicable to 3.0.5-2. ** Patch added: "2-3.0.5-2ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+attachment/4928851/+files/2-3.0.5-2ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709153 Title: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1709153] Re: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL
Note that trusty's varnish is also vulnerable to CVE-2017-12425. Could you work that into the patch too? (Note fetch_number() from trusty/varnish-3.0.5/bin/varnishd/cache_fetch.c ) Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12425 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1709153 Title: [CVE] HTTP Smuggling issues: Double Content Length and bad EOL To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1709153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs