On Tue, 20 Apr 2010 23:48:24 +0200 (CEST) Ingvar Hagelund <ingvar@xxxxxxxxxxxxxxxxxx> wrote: > Varnish is an http accellerator. > > I recently requested an update for varnish-2.1.0 in f13 an rawhide. I > hope it will be accepted for f13, as it contains a fix for > CVE-2009-2936 (bz #579536, #579533). Yes, it should be. Just make sure it gets enough karma or you push it to stable directly. > CVE-2009-2936 states that it is a security problem that local users > on a system running varnish have anonymously access to the varnish > administration console (telnet interface), which, given enough > varnish clue, is effectively giving them local root access. > varnish-2.1.0 fixes this by adding password authentication to the > administration console. This password fix will probably not be > backported to the 2.0 series. > > f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration > interface has changed a bit from the 2.0 to the 2.1 series. The > change is not large, but a lot of users will have to change a > configuration line or ten to be able to upgrade. This means that > automatic upgrade is not possible, and according to the rules, we > will thus have to stay with 2.0.x for these "old" stable releases (at > least until some major security problem arises). Upstream will > continue maintenance of the 2.0 series for at least some 6 months > more, I guess. > > I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" > stable releases of fedora and epel, breaking existing configurations, > or, (2) submit an update with the administration console switched off > by default, possibly breaking automated scripts using it via nc or > varnishadm. 1 may be acceptable for Fedora, but I would personally not recommend it. For EPEL 1 is forbidden. ;( So, I would think 2 would be the better of the two. Can you backport the password functionality to the 2.0 series? Or find someone interested in doing so? > I may also ignore the case. Upstream disputes the seriousness of this > "bug". Thats up to you as well depending on what you think the impact is. > I would like an advice on this from the security team, please. This list is pretty dead, so not sure what if any other replies you will get. :( kevin
Attachment:
signature.asc
Description: PGP signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
