Date: Mon, 18 May 2026 14:44:21 +0000 From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7b63db13ecc1 - main - security/vuxml: Document varnish/vinyl vulnerability Message-ID: <6a0b25c5.3d767.657af553@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by zi: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b63db13ecc1d378b871c113ecfb3d8177d073a8 commit 7b63db13ecc1d378b871c113ecfb3d8177d073a8 Author: Ryan Steinmetz <zi@FreeBSD.org> AuthorDate: 2026-05-18 14:43:31 +0000 Commit: Ryan Steinmetz <zi@FreeBSD.org> CommitDate: 2026-05-18 14:43:31 +0000 security/vuxml: Document varnish/vinyl vulnerability A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation. --- security/vuxml/vuln/2026.xml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 6b819df4092e..bcaf396e8a7c 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,34 @@ + <vuln vid="f0f4bb64-52c6-11f1-a1c0-0050569f0b83"> + <topic>Vinyl/Varnish -- HTTP/2 parsing deficiency</topic> + <affects> + <package> + <name>vinyl09</name> + <range><lt>9.0.1</lt></range> + </package> + <package> + <name>varnish7</name> + <range><lt>8.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Vinyl Development Team reports:</p> + <blockquote cite="https://vinyl-cache.org/security/VSV00019.html">; + <p>A deficiency in HTTP/2 request parsing can be exploited to launch a backend request + desync attack (request smuggling), which in turn can be used for cache poisoning, + authentication bypass or possibly even information disclosure and manipulation.</p> + </blockquote> + </body> + </description> + <references> + <url>https://vinyl-cache.org/security/VSV00019.html</url>; + </references> + <dates> + <discovery>2026-05-18</discovery> + <entry>2026-05-18</entry> + </dates> + </vuln> + <vuln vid="7185ecc9-4fb7-11f1-bc50-6cc21735f730"> <topic>PostgreSQL -- Multiple vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0b25c5.3d767.657af553>