{"affected":[{"ecosystem_specific":{"binaries":[{"libvarnishapi3":"7.1.0-bp153.2.3.1","varnish":"7.1.0-bp153.2.3.1","varnish-devel":"7.1.0-bp153.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP3","name":"varnish","purl":"pkg:rpm/suse/varnish&distro=SUSE%20Package%20Hub%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"7.1.0-bp153.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libvarnishapi3":"7.1.0-bp153.2.3.1","varnish":"7.1.0-bp153.2.3.1","varnish-devel":"7.1.0-bp153.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"varnish","purl":"pkg:rpm/opensuse/varnish&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"7.1.0-bp153.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for varnish fixes the following issues:\n\nvarnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959]\n\n* VCL: It is now possible to assign a BLOB value to a BODY\n  variable, in addition to STRING as before.\n* VMOD: New STRING strftime(TIME time, STRING format) function\n  for UTC formatting.\n\nUpdate to release 6.6.1\n\n* CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability. [boo#1188470]\n\nUpdate to release 6.6.0:\n\n* The ban_cutoff parameter now refers to the overall length of\n  the ban list, including completed bans, where before only\n  non-completed (“active”) bans were counted towards ban_cutoff.\n* Body bytes accounting has been fixed to always represent the\n  number of body bytes moved on the wire, exclusive of\n  protocol-specific overhead like HTTP/1 chunked encoding or\n  HTTP/2 framing.\n* The connection close reason has been fixed to properly report\n  SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported.\n* Unless the new validate_headers feature is disabled, all newly\n  set headers are now validated to contain only characters\n  allowed by RFC7230.\n* The filter_re, keep_re and get_re functions from the bundled\n  cookie vmod have been changed to take the VCL_REGEX type. This\n  implies that their regular expression arguments now need to be\n  literal, not e.g. string.\n* The interface for private pointers in VMODs has been changed,\n  the VRT backend interface has been changed, many filter\n  (VDP/VFP) related signatures have been changed, and the\n  stevedore API has been changed. (Details thereto, see online\n  changelog.)\n\nUpdate to release 6.5.1\n\n* Bump the VRT_MAJOR_VERSION number defined in the vrt.h\n\nUpdate to release 6.5.0\n\n* `PRIV_TOP` is now thread-safe to support parallel ESI\n  implementations.\n* varnishstat's JSON output format (-j option) has been changed.\n* Behavior for 304-type responses was changed not to update the\n  Content-Encoding response header of the stored object.\n\n- Update Git-Web repository link\n\nUpdate to release 6.4.0\n\n* The MAIN.sess_drop counter is gone.\n* backend 'none' was added for 'no backend'.\n* The hash algorithm of the hash director was changed, so\n  backend selection will change once only when upgrading.\n* It is now possible for VMOD authors to customize the\n  connection pooling of a dynamic backend.\n* For more, see changes.rst.\n\nUpdate to release 6.3.2\n\n* Fix a denial of service vulnerability when using the proxy\n  protocol version 2.\n\nUpdate to release 6.3.0\n\n* The Host: header is folded to lower-case in the builtin_vcl.\n* Improved performance of shared memory statistics counters.\n* Synthetic objects created from vcl_backend_error {} now\n  replace existing stale objects as ordinary backend fetches\n  would (for details see changes.rst)\n","id":"openSUSE-SU-2022:0148-1","modified":"2022-05-27T04:23:45Z","published":"2022-05-27T04:23:45Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KTY3FIXDKQEQLMHOF4U46AQ47W524UIM/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1181400"},{"type":"REPORT","url":"https://bugzilla.suse.com/1188470"},{"type":"REPORT","url":"https://bugzilla.suse.com/1195188"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-36740"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-23959"}],"related":["CVE-2021-36740","CVE-2022-23959"],"summary":"Security update for varnish","upstream":["CVE-2021-36740","CVE-2022-23959"]}