1
Candidate: CVE-2009-2936
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2936
6
** DISPUTED ** The Command Line Interface (aka Server CLI or administration
7
interface) in the master process in the reverse proxy server in Varnish
8
before 2.1.0 does not require authentication for commands received through
9
a TCP port, which allows remote attackers to (1) execute arbitrary code via
10
a vcl.inline directive that provides a VCL configuration file containing
11
inline C code; (2) change the ownership of the master process via
12
param.set, stop, and start directives; (3) read the initial line of an
13
arbitrary file via a vcl.load directive; or (4) conduct cross-site request
14
forgery (CSRF) attacks that leverage a victim's location on a trusted
15
network and improper input validation of directives. NOTE: the vendor
16
disputes this report, saying that it is "fundamentally misguided and
20
jdstrand> per Debian, "Only a security issue if used against best practices"
27
upstream_varnish: released (2.1.0)
29
hardy_varnish: ignored (reached end-of-life)
30
intrepid_varnish: needed (reached end-of-life)
31
jaunty_varnish: ignored (reached end-of-life)
32
karmic_varnish: ignored (reached end-of-life)
33
lucid_varnish: not-affected (2.1.0-2ubuntu0.1)
34
maverick_varnish: not-affected (2.1.1-1)
35
natty_varnish: not-affected (2.1.1-1)
36
oneiric_varnish: not-affected (2.1.1-1)
37
precise_varnish: not-affected (2.1.1-1)
38
devel_varnish: not-affected (2.1.1-1)