Security update for varnish SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0808-1 Final 1 1 2020-06-13T10:17:05Z current 2020-06-13T10:17:05Z 2020-06-13T10:17:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for varnish This update for varnish fixes the following issues: - CVE-2019-20637: Fixed an information leak when handling one client request and the next on the same connection (boo#1169040) - CVE-2020-11653: Fixed a performance loss due to an assertion failure and daemon restart when communicating with TLS termination proxy that uses PROXY version 2 (boo#1169039) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-808 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PCUUXZW2DUUNCOBXQJNOGTFZJED26EJM/ E-Mail link for openSUSE-SU-2020:0808-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1169039 SUSE Bug 1169039 https://bugzilla.suse.com/1169040 SUSE Bug 1169040 https://www.suse.com/security/cve/CVE-2019-20637/ SUSE CVE CVE-2019-20637 page https://www.suse.com/security/cve/CVE-2020-11653/ SUSE CVE CVE-2020-11653 page openSUSE Leap 15.1 libvarnishapi2-6.2.1-lp151.3.6.1 varnish-6.2.1-lp151.3.6.1 varnish-devel-6.2.1-lp151.3.6.1 libvarnishapi2-6.2.1-lp151.3.6.1 as a component of openSUSE Leap 15.1 varnish-6.2.1-lp151.3.6.1 as a component of openSUSE Leap 15.1 varnish-devel-6.2.1-lp151.3.6.1 as a component of openSUSE Leap 15.1 An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers. CVE-2019-20637 openSUSE Leap 15.1:libvarnishapi2-6.2.1-lp151.3.6.1 openSUSE Leap 15.1:varnish-6.2.1-lp151.3.6.1 openSUSE Leap 15.1:varnish-devel-6.2.1-lp151.3.6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PCUUXZW2DUUNCOBXQJNOGTFZJED26EJM/ https://www.suse.com/security/cve/CVE-2019-20637.html CVE-2019-20637 https://bugzilla.suse.com/1169040 SUSE Bug 1169040 An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. CVE-2020-11653 openSUSE Leap 15.1:libvarnishapi2-6.2.1-lp151.3.6.1 openSUSE Leap 15.1:varnish-6.2.1-lp151.3.6.1 openSUSE Leap 15.1:varnish-devel-6.2.1-lp151.3.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PCUUXZW2DUUNCOBXQJNOGTFZJED26EJM/ https://www.suse.com/security/cve/CVE-2020-11653.html CVE-2020-11653 https://bugzilla.suse.com/1169039 SUSE Bug 1169039