1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
Candidate: CVE-2009-2936
PublicDate: 2010-04-05
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2936
Description:
** DISPUTED ** The Command Line Interface (aka Server CLI or administration
interface) in the master process in the reverse proxy server in Varnish
before 2.1.0 does not require authentication for commands received through
a TCP port, which allows remote attackers to (1) execute arbitrary code via
a vcl.inline directive that provides a VCL configuration file containing
inline C code; (2) change the ownership of the master process via
param.set, stop, and start directives; (3) read the initial line of an
arbitrary file via a vcl.load directive; or (4) conduct cross-site request
forgery (CSRF) attacks that leverage a victim's location on a trusted
network and improper input validation of directives. NOTE: the vendor
disputes this report, saying that it is "fundamentally misguided and
pointless."
Ubuntu-Description:
Notes:
jdstrand> per Debian, "Only a security issue if used against best practices"
Bugs:
Priority: negligible
Discovered-by:
Assigned-to:
Patches_varnish:
upstream_varnish: released (2.1.0)
dapper_varnish: DNE
hardy_varnish: ignored (reached end-of-life)
intrepid_varnish: needed (reached end-of-life)
jaunty_varnish: ignored (reached end-of-life)
karmic_varnish: ignored (reached end-of-life)
lucid_varnish: not-affected (2.1.0-2ubuntu0.1)
maverick_varnish: not-affected (2.1.1-1)
natty_varnish: not-affected (2.1.1-1)
oneiric_varnish: not-affected (2.1.1-1)
precise_varnish: not-affected (2.1.1-1)
devel_varnish: not-affected (2.1.1-1)
|