Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
3dbc284a
Commit
3dbc284a
authored
Mar 18, 2024
by
Dridi Boukelmoune
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Missing bits surrounding VSV14
parent
599dd41f
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
25 additions
and
4 deletions
+25
-4
index.rst
R1/source/index.rst
+1
-1
VSV00014.rst
R1/source/security/VSV00014.rst
+21
-3
index.rst
R1/source/security/index.rst
+3
-0
No files found.
R1/source/index.rst
View file @
3dbc284a
...
...
@@ -14,7 +14,7 @@ Our bi-annual "fresh" release is here: :ref:`rel7.5.0`
The 7.3 series is no longer supported in any capacity.
2024-03-18 - Varnish HTTP/2 Broke Window Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
All Varnish Cache releases with HTTP/2 support suffer a vulnerability in
the HTTP/2 protocol. Please see :ref:`VSV00014` for more information.
...
...
R1/source/security/VSV00014.rst
View file @
3dbc284a
...
...
@@ -43,34 +43,52 @@ Timeline
* **2019-04-19** the vulnerability is theorized (see commit message of e1a1fdc7_)
* **2023-08-24** the vulnerability is confirmed
* it happened while working on bringing back the parameters ``timeout_req``
and ``timeout_reqbody`` to Varnish Enterprise 6.0
and ``timeout_reqbody`` to Varnish Enterprise 6.0
* **2023-09-20** the vulnerability is studied
* once the timeouts are reintroduced in Varnish Enterprise, work started to
find an appropriate mitigation
find an appropriate mitigation
* **2023-10-10** the HTTP/2 Rapid Reset Attack is disclosed
* work on the Rapid Reset Attack starts, see :ref:`VSV00013_`
* work on the Rapid Reset Attack starts, see :ref:`VSV00013`
* work on the Broke Window Attack mitigation is postponed
* **2023-10-23** CVE-2023-43622 is published
* it describes a subset of the vulnerability for the Apache HTTP Server
* work on the Broke Window Attack mitigation resumes
* a first iteration is ready and submitted for a review
* the Varnish Cache maintainers are informed
* **2023-11-16** a second iteration is submitted for review
* **2023-11-29** the second iteration is approved
* Varnish Enterprise ships the mitigation in the 6.0.12r4 release
* **2023-12-05** the mitigation is ported to Varnish Cache
* the master branch is targeted
* the mitigation is not ready to publish
* **2024-01-15** the port to Varnish Cache resumes
* ported to supported branches 7.4, 7.4 and 6.0 LTS
* **2024-01-17** a regression is discovered
* the second iteration of the mitigation is racy
* when a race occurs, it is partially effective
* offending HTTP/2 streams are reset, but the connection is not closed
* **2024-01-23** the regression is fixed
* the ports to Varnish Cache are updated
* a bug fix is submitted to Varnish Enterprise
* **2024-03-05** the port to Varnish Cache master branch is updated
* **2024-03-18** public advisory and releases
...
...
R1/source/security/index.rst
View file @
3dbc284a
...
...
@@ -11,6 +11,7 @@ List of all Varnish CVEs
=============== =============== ====================================
Versions CVE What
=============== =============== ====================================
5.x, 6.x, 7.x CVE-2023-43622_ :ref:`vsv00014`
5.x, 6.x, 7.x CVE-2023-44487_ :ref:`vsv00013`
vmod_digest CVE-2023-41104_ :ref:`vsv00012`
6.x, 7.x CVE-2022-45060_ :ref:`vsv00011`
...
...
@@ -30,6 +31,7 @@ vmod_digest CVE-2023-41104_ :ref:`vsv00012`
< 2.1.0 CVE-2009-2936_ Trophy hunting
=============== =============== ====================================
.. _CVE-2023-43622: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
.. _CVE-2023-44487: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
.. _CVE-2023-41104: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41104
.. _CVE-2022-45060: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45060
...
...
@@ -52,6 +54,7 @@ vmod_digest CVE-2023-41104_ :ref:`vsv00012`
:hidden:
:maxdepth: 1
VSV00014.rst
VSV00013.rst
VSV00012.rst
VSV00011.rst
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment