Varnish is an http accellerator.
I recently requested an update for varnish-2.1.0 in f13 an rawhide. I hope it will be accepted for f13, as it contains a fix for CVE-2009-2936 (bz #579536, #579533).
CVE-2009-2936 states that it is a security problem that local users on a system running varnish have anonymously access to the varnish administration console (telnet interface), which, given enough varnish clue, is effectively giving them local root access. varnish-2.1.0 fixes this by adding password authentication to the administration console. This password fix will probably not be backported to the 2.0 series.
f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration interface has changed a bit from the 2.0 to the 2.1 series. The change is not large, but a lot of users will have to change a configuration line or ten to be able to upgrade. This means that automatic upgrade is not possible, and according to the rules, we will thus have to stay with 2.0.x for these "old" stable releases (at least until some major security problem arises). Upstream will continue maintenance of the 2.0 series for at least some 6 months more, I guess.
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old" stable releases of fedora and epel, breaking existing configurations, or, (2) submit an update with the administration console switched off by default, possibly breaking automated scripts using it via nc or varnishadm.
I may also ignore the case. Upstream disputes the seriousness of this "bug".
I would like an advice on this from the security team, please.
I haven't had time to do any work related to the Fedora security response team
in quite a while nor do I expect to have any time soon, so I've removed myself
from the Wiki security response team members page and will unsubscribe from
So, we have a bunch of updates in our mailbox for F11 and F12 for
various KDE packages, with one of two advisory ids:
all of them refer to a kdm security problem, but none of these actually
fix kdm I don't think ... and there is no advisory for kdm itself ...
can someone help me out with what's going on here?
Jake Edge - LWN - jake(a)lwn.net - http://lwn.net