Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP3:Update
patchinfo.17492
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.17492
<patchinfo incident="17492"> <issue tracker="bnc" id="1195188">VUL-0: CVE-2022-23959: varnish: request smuggling can occur for HTTP/1 connections</issue> <issue tracker="bnc" id="1181400">AUDIT-TASK: Evaluate systemd hardenings and get more services to use them</issue> <issue tracker="bnc" id="1188470">VUL-0: CVE-2021-36740: varnish: HTTP/2 request smuggling attack via a large Content-Length header for a POST request</issue> <issue tracker="cve" id="2022-23959"/> <issue tracker="cve" id="2021-36740"/> <packager>jengelh</packager> <rating>important</rating> <category>security</category> <summary>Security update for varnish</summary> <description>This update for varnish fixes the following issues: varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959] * VCL: It is now possible to assign a BLOB value to a BODY variable, in addition to STRING as before. * VMOD: New STRING strftime(TIME time, STRING format) function for UTC formatting. Update to release 6.6.1 * CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability. [boo#1188470] Update to release 6.6.0: * The ban_cutoff parameter now refers to the overall length of the ban list, including completed bans, where before only non-completed (“active”) bans were counted towards ban_cutoff. * Body bytes accounting has been fixed to always represent the number of body bytes moved on the wire, exclusive of protocol-specific overhead like HTTP/1 chunked encoding or HTTP/2 framing. * The connection close reason has been fixed to properly report SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported. * Unless the new validate_headers feature is disabled, all newly set headers are now validated to contain only characters allowed by RFC7230. * The filter_re, keep_re and get_re functions from the bundled cookie vmod have been changed to take the VCL_REGEX type. This implies that their regular expression arguments now need to be literal, not e.g. string. * The interface for private pointers in VMODs has been changed, the VRT backend interface has been changed, many filter (VDP/VFP) related signatures have been changed, and the stevedore API has been changed. (Details thereto, see online changelog.) Update to release 6.5.1 * Bump the VRT_MAJOR_VERSION number defined in the vrt.h Update to release 6.5.0 * `PRIV_TOP` is now thread-safe to support parallel ESI implementations. * varnishstat's JSON output format (-j option) has been changed. * Behavior for 304-type responses was changed not to update the Content-Encoding response header of the stored object. - Update Git-Web repository link Update to release 6.4.0 * The MAIN.sess_drop counter is gone. * backend "none" was added for "no backend". * The hash algorithm of the hash director was changed, so backend selection will change once only when upgrading. * It is now possible for VMOD authors to customize the connection pooling of a dynamic backend. * For more, see changes.rst. Update to release 6.3.2 * Fix a denial of service vulnerability when using the proxy protocol version 2. Update to release 6.3.0 * The Host: header is folded to lower-case in the builtin_vcl. * Improved performance of shared memory statistics counters. * Synthetic objects created from vcl_backend_error {} now replace existing stale objects as ordinary backend fetches would (for details see changes.rst) </description> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor