Debian Security Advisory
DSA-5088-1 varnish -- security update
- Date Reported:
- 03 Mar 2022
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 991040, Bug 1004433.
In Mitre's CVE dictionary: CVE-2021-36740, CVE-2022-23959.
- More information:
Martin Blix Grydeland discovered that Varnish is vulnerable to request smuggling attacks if the HTTP/2 protocol is enabled.
James Kettle discovered a request smuggling attack against the HTTP/1 protocol implementation in Varnish.
For the oldstable distribution (buster), these problems have been fixed in version 6.1.1-1+deb10u3.
For the stable distribution (bullseye), these problems have been fixed in version 6.5.1-1+deb11u2.
We recommend that you upgrade your varnish packages.
For the detailed security status of varnish please refer to its security tracker page at: https://security-tracker.debian.org/tracker/varnish