Debian alert DLA-4187-1 (varnish)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4187-1] varnish security update | |
| Date: | Thu, 29 May 2025 09:18:40 +0200 | |
| Message-ID: | <0742743df39882397314999fe953edb05672f409.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4187-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 28, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : varnish Version : 6.5.1-1+deb11u5 CVE ID : CVE-2025-47905 A client-side desync vulnerability can be triggered in Varnish, a high-performance web accelerator. An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries. For Debian 11 bullseye, this problem has been fixed in version 6.5.1-1+deb11u5. We recommend that you upgrade your varnish packages. For the detailed security status of varnish please refer to its security tracker page at: https://security-tracker.debian.org/tracker/varnish Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmg4ClBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQJ7A/8C4Kd04PbRWOjTWbCZMFmBK7Z7MRMah3pHH+PMmOkabMvOSq1uAGtxsup 7NxwJ/aFgVqJQhtRVs105+KOxl+1WMgGFru5ez5OB62J0GEFXhF5InJUXDn3oV5d 4EfcUwv13gsbevz9SJbfFoHgvM0xGIdmqGS08ZUHBorayVOUtVF0b6zFjvfvyznL +ngLf1RSqcbiaLaE6hrF2DBruHBrIHPIx1C4MXXg3Zw8kKppW39lYwiwHcXbdRvr MjRZqQCZgK6TdxFHZoe+dvhC6NeC3T43EYyjddMjrTacImcVMsckoq78++/30KrL azI2gBkeETjFK5SzgnsyzkMDFqYVgapMzz6sV+Iroy+pAGWba/9Q/P7BGdNCbGwa xesadtQxjLFQ3A2nc5SOYhaoufdpNBTNtoZtOs4qE3fLfA7/WNoqQOKXGwlMwx7U qyPJYQ7KgfsrSL5WOZYlw0HEiLq4eRGd238myjs+Vr+dtaCWJWwvF8MSBrzg6taH 834bVHs+OspqDrFB1mvHTMPCcooVZQ+qGGjiVUr96eOj5V4mbEmTtAToJSqzVmpO 6jSl2oZF5anWQWnsla1kC3KFgBU7C7r9uzHWEgmM2dSUELsD1bRpP34WiBQla+ta 8geTQTiCCvu/b7h2J/DwG4EHOgo0HmgpvDFKGv8o+AaV3ZiCo2k= =0iIG -----END PGP SIGNATURE-----