Security update for varnish SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1316-1 Final 1 1 2016-05-17T09:21:46Z current 2016-05-17T09:21:46Z 2016-05-17T09:21:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for varnish This varnish update to version 3.0.7 fixes the following issues: Security issues fixed: - CVE-2015-8852: Vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL. (boo#976097) Bugs fixed: - Stop recognizing a single CR (\r) as a HTTP line separator. - Improved error detection on master-child process communication, leading to faster recovery (child restart) if communication loses sync. - Fix a corner-case where Content-Length was wrong for HTTP 1.0 clients, when using gzip and streaming. - More robust handling of hop-by-hop headers. - Avoid memory leak when adding bans. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.html E-Mail link for openSUSE-SU-2016:1316-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libvarnishapi1-3.0.7-2.3.1 libvarnishapi1-debuginfo-3.0.7-2.3.1 varnish-3.0.7-2.3.1 varnish-debuginfo-3.0.7-2.3.1 varnish-debugsource-3.0.7-2.3.1 varnish-devel-3.0.7-2.3.1 libvarnishapi1-3.0.7-2.3.1 as a component of openSUSE 13.2 libvarnishapi1-debuginfo-3.0.7-2.3.1 as a component of openSUSE 13.2 varnish-3.0.7-2.3.1 as a component of openSUSE 13.2 varnish-debuginfo-3.0.7-2.3.1 as a component of openSUSE 13.2 varnish-debugsource-3.0.7-2.3.1 as a component of openSUSE 13.2 varnish-devel-3.0.7-2.3.1 as a component of openSUSE 13.2 Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. CVE-2015-8852 openSUSE 13.2:libvarnishapi1-3.0.7-2.3.1 openSUSE 13.2:libvarnishapi1-debuginfo-3.0.7-2.3.1 openSUSE 13.2:varnish-3.0.7-2.3.1 openSUSE 13.2:varnish-debuginfo-3.0.7-2.3.1 openSUSE 13.2:varnish-debugsource-3.0.7-2.3.1 openSUSE 13.2:varnish-devel-3.0.7-2.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.html https://www.suse.com/security/cve/CVE-2015-8852.html CVE-2015-8852 https://bugzilla.suse.com/976097 SUSE Bug 976097