From nobody Sat Dec 2 18:43:45 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SjJjY554Jz53LkQ; Sat, 2 Dec 2023 18:43:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SjJjY3F0Jz4PFR; Sat, 2 Dec 2023 18:43:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701542625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QwYyLGhNNJKjB77tj3h0efR0ot6WcSG1UKQCIwD/Ng4=; b=fZNa+WKzHdQ+lYl15uv9/jn7TeoavnQxMiCX/Z/7HXSMmXJn8ffTCtc3ZcRlXQzEuj7snk HNvOB/Ows2u3/X6ZkAcEcbEHNTbCPDxMEP0+7R61+PgEVAtfDMpzQaoh9VpxlsGN6A/TIz XdaH/14mU/DzsH0y49yOVrGL/S9Vwy541itOvr4KeWtfEKh/Cshkr2OIb2U3/KN+On6AnU gNs/uZhjYXs9URGpWRQb50vx/70f4T7sxjHCv1VSnlXSpuIfkpX3iJOdTcPvdBdVPz4kKb sO+6STGI5hwfb78sicVJQl5OVxHXyITzu2r5tmPLUh38cpKKX4mVCi5YXuHPQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701542625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QwYyLGhNNJKjB77tj3h0efR0ot6WcSG1UKQCIwD/Ng4=; b=OWYB8zv/aVs5Oow+o0rkT3Qf+fr946H5oPP9BDmacemtIymz94yQb2F+L4fUsXbUxh/SoB XAbWG/XuSXQUzyRP9tKo/lnyGPjWaJNL49JdnjWW15puTLjjPy8sfasDrEzYq/5hbdcP+/ sp0xTFmi12KTSjSdiC5glzK41I76IYptnpcEL4BzzxOxDJxC1LLr0hEPFggsP19bOfMKq9 eC69Y/kuNUTRQtqp3PMj5z58dsBa4xsQFIJl5UHaOEnKSm2FMx/fv1DsuFgCRYT14C22/q 9gxEUfDurAkyt+yuafiuEtMPHrQlvY3DYpG3XiqOT+5tMXMAyb/i1stVARyKog== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701542625; a=rsa-sha256; cv=none; b=v3cszda29i7qEkFQ0UG0aEbrZFJDpfT/hQQxN2Z1hNfluWkmidSprO7iNOZ1lgpYxGTk4c A2u+h+ecISQgaNYm581JWibmSqYAOts5las00ACp5Rn+n004JJGDiF9cuiiG8sbHTlMvGz mKvqzQibhboanSAslTgtd7az5acAHrQYa3YkjG65mi2AYjJk4haKQ8epT33G9IXzysKhLh TDcWw0iAnsN2m5y3WodVkSxy+DOYbtV057gkQykrVOxYhK0BXUHirUTCPIq2mew2l+zn2x WUvv/G+9pdFofSbEJvttG75PAoXDDq8EBRVShu1ohUH7gymSYJoj2o58I/+2gg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SjJjY2KDlzCN6; Sat, 2 Dec 2023 18:43:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3B2IhjbW017491; Sat, 2 Dec 2023 18:43:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3B2IhjtZ017488; Sat, 2 Dec 2023 18:43:45 GMT (envelope-from git) Date: Sat, 2 Dec 2023 18:43:45 GMT Message-Id: <202312021843.3B2IhjtZ017488@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Danilo G. Baio" Subject: git: 4e03e6d862b5 - main - security/vuxml: Add Varnish Cache vulnerability List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dbaio X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4e03e6d862b5909e5c45f8f9ee803bd6b035d4bb Auto-Submitted: auto-generated The branch main has been updated by dbaio: URL: https://cgit.FreeBSD.org/ports/commit/?id=4e03e6d862b5909e5c45f8f9ee803bd6b035d4bb commit 4e03e6d862b5909e5c45f8f9ee803bd6b035d4bb Author: Danilo G. Baio AuthorDate: 2023-12-02 17:34:18 +0000 Commit: Danilo G. Baio CommitDate: 2023-12-02 18:42:34 +0000 security/vuxml: Add Varnish Cache vulnerability --- security/vuxml/vuln/2023.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 7c7d022e9a24..c484528898f7 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,38 @@ + + varnish -- HTTP/2 Rapid Reset Attack + + + varnish7 + 7.4.2 + + + varnish6 + 6.6.3 + + + + +

Varnish Cache Project reports:

+
+

A denial of service attack can be performed on Varnish Cache servers + that have the HTTP/2 protocol turned on. An attacker can create a large + volume of streams and immediately reset them without ever reaching the + maximum number of concurrent streams allowed for the session, causing + the Varnish server to consume unnecessary resources processing requests + for which the response will not be delivered.

+
+ + + + CVE-2023-44487 + https://varnish-cache.org/security/VSV00013.html + + + 2023-11-13 + 2023-12-02 + + + Gitlab -- Vulnerabilities