Security update for varnish SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0819-1 Final 1 1 2020-06-16T05:51:42Z current 2020-06-16T05:51:42Z 2020-06-16T05:51:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for varnish This update for varnish fixes the following issues: - CVE-2019-20637: Fixed an information leak when handling one client request and the next on the same connection (boo#1169040) - CVE-2020-11653: Fixed a performance loss due to an assertion failure and daemon restart when communicating with TLS termination proxy that uses PROXY version 2 (boo#1169039) This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-819 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SC6JBGFRDO2KYXWHDNCH6CJL6N7QISZW/ E-Mail link for openSUSE-SU-2020:0819-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1169039 SUSE Bug 1169039 https://bugzilla.suse.com/1169040 SUSE Bug 1169040 https://www.suse.com/security/cve/CVE-2019-20637/ SUSE CVE CVE-2019-20637 page https://www.suse.com/security/cve/CVE-2020-11653/ SUSE CVE CVE-2020-11653 page SUSE Package Hub 15 SP1 libvarnishapi2-6.2.1-bp151.4.6.1 varnish-6.2.1-bp151.4.6.1 varnish-devel-6.2.1-bp151.4.6.1 libvarnishapi2-6.2.1-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 varnish-6.2.1-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 varnish-devel-6.2.1-bp151.4.6.1 as a component of SUSE Package Hub 15 SP1 An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers. CVE-2019-20637 SUSE Package Hub 15 SP1:libvarnishapi2-6.2.1-bp151.4.6.1 SUSE Package Hub 15 SP1:varnish-6.2.1-bp151.4.6.1 SUSE Package Hub 15 SP1:varnish-devel-6.2.1-bp151.4.6.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SC6JBGFRDO2KYXWHDNCH6CJL6N7QISZW/ https://www.suse.com/security/cve/CVE-2019-20637.html CVE-2019-20637 https://bugzilla.suse.com/1169040 SUSE Bug 1169040 An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss. CVE-2020-11653 SUSE Package Hub 15 SP1:libvarnishapi2-6.2.1-bp151.4.6.1 SUSE Package Hub 15 SP1:varnish-6.2.1-bp151.4.6.1 SUSE Package Hub 15 SP1:varnish-devel-6.2.1-bp151.4.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SC6JBGFRDO2KYXWHDNCH6CJL6N7QISZW/ https://www.suse.com/security/cve/CVE-2020-11653.html CVE-2020-11653 https://bugzilla.suse.com/1169039 SUSE Bug 1169039