ALAS-2022-1632

Amazon Linux 1 (EOL) Security Advisory: ALAS-2022-1632
Advisory Released Date: 2022-08-23
Advisory Updated Date: 2022-08-23

Severity: Important

References: CVE-2022-23959
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in Varnish. This flaw allows an attacker to carry out a request smuggling attack on HTTP/1 connections on Varnish cache servers. This smuggled request goes through the usual Varnish Configuration Language (VCL) processing since the Varnish server treats it as an additional request. (CVE-2022-23959)

Affected Packages:

varnish

Issue Correction:
Run yum update varnish to update your system.

New Packages:

i686:
    varnish-libs-4.0.5-3.23.amzn1.i686
    varnish-libs-devel-4.0.5-3.23.amzn1.i686
    varnish-docs-4.0.5-3.23.amzn1.i686
    varnish-4.0.5-3.23.amzn1.i686
    varnish-debuginfo-4.0.5-3.23.amzn1.i686

src:
    varnish-4.0.5-3.23.amzn1.src

x86_64:
    varnish-libs-4.0.5-3.23.amzn1.x86_64
    varnish-libs-devel-4.0.5-3.23.amzn1.x86_64
    varnish-4.0.5-3.23.amzn1.x86_64
    varnish-docs-4.0.5-3.23.amzn1.x86_64
    varnish-debuginfo-4.0.5-3.23.amzn1.x86_64

Additional References

Red Hat: CVE-2022-23959

Mitre: CVE-2022-23959