Varnish is an http accellerator.
I recently requested an update for varnish-2.1.0 in f13 an rawhide. I hope it will be
accepted for f13, as it contains a fix for CVE-2009-2936 (bz #579536, #579533).
CVE-2009-2936 states that it is a security problem that local users on a system running
varnish have anonymously access to the varnish administration console (telnet interface),
which, given enough varnish clue, is effectively giving them local root access.
varnish-2.1.0 fixes this by adding password authentication to the administration console.
This password fix will probably not be backported to the 2.0 series.
f12, f11, epel5 and epel4 have varnish-2.0.6. The configuration interface has changed a
bit from the 2.0 to the 2.1 series. The change is not large, but a lot of users will have
to change a configuration line or ten to be able to upgrade. This means that automatic
upgrade is not possible, and according to the rules, we will thus have to stay with 2.0.x
for these "old" stable releases (at least until some major security problem
arises). Upstream will continue maintenance of the 2.0 series for at least some 6 months
more, I guess.
I can "fix" this in two ways: Either (1) pack 2.1.0 for the "old"
stable releases of fedora and epel, breaking existing configurations, or, (2) submit an
update with the administration console switched off by default, possibly breaking
automated scripts using it via nc or varnishadm.
I may also ignore the case. Upstream disputes the seriousness of this "bug".
I would like an advice on this from the security team, please.
Regards,
Ingvar
Show replies by date