Red Hat Product Errata RHSA-2023:5930 - Security Advisory
Issued:
2023-10-19
Updated:
2023-10-19

RHSA-2023:5930 - Security Advisory

Synopsis

Important: varnish security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.

Security Fix(es):

  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.0 x86_64
  • Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.0 ppc64le
  • Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.0 s390x
  • Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
x86_64
varnish-6.6.2-2.el9_0.2.i686.rpm SHA-256: c7cb238695c8c6f67e49e311d7610b09f312b3dcebd162681b40a9612cb25547
varnish-6.6.2-2.el9_0.2.x86_64.rpm SHA-256: 5120bfde4e34832668cfc2d1bcaf6b0abfba2ebfd520fa0fd1a60addb630d85b
varnish-docs-6.6.2-2.el9_0.2.x86_64.rpm SHA-256: 692184e1287a05c84850ddf26dd50edd6e14cd44ad9c00d5e1d1829aaaa51e41

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
s390x
varnish-6.6.2-2.el9_0.2.s390x.rpm SHA-256: 6f153783d93ed50d1b3b4385f9b4a88c18957806c254215100047bf7ba9aeeca
varnish-docs-6.6.2-2.el9_0.2.s390x.rpm SHA-256: 547cc8fa6e76bd515e15c88bc41a996b0a0391c741b014834b3bc38f4e7c2e38

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
ppc64le
varnish-6.6.2-2.el9_0.2.ppc64le.rpm SHA-256: e57e4cb7bc551d1b705db34157060493765ef872ddb4df9e8e12036fd9f84c91
varnish-docs-6.6.2-2.el9_0.2.ppc64le.rpm SHA-256: a3c1c8c34a43e266de691b8c1d6760cf49f180a7ff1f3f08f99e83cf4c5fab78

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
aarch64
varnish-6.6.2-2.el9_0.2.aarch64.rpm SHA-256: 84bbdcff6c3f4eb5986a62cb21e765e40b5aaa468f605246eed38c489f1a91ef
varnish-docs-6.6.2-2.el9_0.2.aarch64.rpm SHA-256: c75e94a23f24355b3fb03c99970fc1781ff1c3f0cbfd0a26325dd574b1f1895c

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
ppc64le
varnish-6.6.2-2.el9_0.2.ppc64le.rpm SHA-256: e57e4cb7bc551d1b705db34157060493765ef872ddb4df9e8e12036fd9f84c91
varnish-docs-6.6.2-2.el9_0.2.ppc64le.rpm SHA-256: a3c1c8c34a43e266de691b8c1d6760cf49f180a7ff1f3f08f99e83cf4c5fab78

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
x86_64
varnish-6.6.2-2.el9_0.2.i686.rpm SHA-256: c7cb238695c8c6f67e49e311d7610b09f312b3dcebd162681b40a9612cb25547
varnish-6.6.2-2.el9_0.2.x86_64.rpm SHA-256: 5120bfde4e34832668cfc2d1bcaf6b0abfba2ebfd520fa0fd1a60addb630d85b
varnish-docs-6.6.2-2.el9_0.2.x86_64.rpm SHA-256: 692184e1287a05c84850ddf26dd50edd6e14cd44ad9c00d5e1d1829aaaa51e41

Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.0

SRPM
x86_64
varnish-devel-6.6.2-2.el9_0.2.i686.rpm SHA-256: dd1f13446eecd3eb423cfa265330b38934521a5c5622282635fd740b4102425f
varnish-devel-6.6.2-2.el9_0.2.x86_64.rpm SHA-256: a622d9fe95c79a7cb87b7d8d558e6de771cfd346df93307089e0f06ce382c2b5

Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.0

SRPM
ppc64le
varnish-devel-6.6.2-2.el9_0.2.ppc64le.rpm SHA-256: ebc43c0ad629f7061d2881e207ff9ef2f5851c98b59dde9832b6d94a5d4141cf

Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.0

SRPM
s390x
varnish-devel-6.6.2-2.el9_0.2.s390x.rpm SHA-256: f88b396c5d92befe2ac503c9cde4535342aad4f7d10cd8315480901f5c9f8f73

Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.0

SRPM
aarch64
varnish-devel-6.6.2-2.el9_0.2.aarch64.rpm SHA-256: 65c1db172fdc21482aefe22648ec25cdab9e9d3e5b6a120a3d27eeb87604a7b2

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
aarch64
varnish-6.6.2-2.el9_0.2.aarch64.rpm SHA-256: 84bbdcff6c3f4eb5986a62cb21e765e40b5aaa468f605246eed38c489f1a91ef
varnish-docs-6.6.2-2.el9_0.2.aarch64.rpm SHA-256: c75e94a23f24355b3fb03c99970fc1781ff1c3f0cbfd0a26325dd574b1f1895c

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
varnish-6.6.2-2.el9_0.2.src.rpm SHA-256: 0a1fb753549ce7f292ae836fffab4ec255b041e584d86aaa516985c4d01d49e4
s390x
varnish-6.6.2-2.el9_0.2.s390x.rpm SHA-256: 6f153783d93ed50d1b3b4385f9b4a88c18957806c254215100047bf7ba9aeeca
varnish-docs-6.6.2-2.el9_0.2.s390x.rpm SHA-256: 547cc8fa6e76bd515e15c88bc41a996b0a0391c741b014834b3bc38f4e7c2e38

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.