Current File : //proc/985914/root/data/old/usr/share/doc/varnish-4.0.5/vsv8_epel7_varnish405.vcl
# VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability
# also known as CVE-2022-23959
#
# Full details on this CVE at http://varnish-cache.org/security/VSV00008.html
#
# SECURITY: The varnish-4.0.x branch is marked END OF LIFE by the Varnish Cache
# upstream project. Please consider upgrading to varnish-6.0 LTS or newer.
# Links to packages compatible with VCL 4.0 and EPEL7 may be found at
# http://varnish-cache.org/releases/
#
# varnish-4.0.5 is vulnerable to CVE-2022-23959.
# If you are unable to upgrade to a current version of varnish, consider
# mitigating against this attack, by copying this file to
# /etc/varnish/vsv8_epel7_varnish405.vcl
# Then near the top of your default.vcl or similar, just below the
# vcl 4.0; marker, add
#
# include "vsv8_epel7_varnish405.vcl";
#
# The systemd service unit will warn about this vulnerability in the log until
# that file exists. If you know that your site is not vulnerable to this
# attack, you may silence the warning in the log by dropping an empty file at
# the same location.
#
sub vsv8_epel7_varnish405 {
if ((req.http.Content-Length || req.http.Transfer-Encoding) &&
req.proto != "HTTP/2.0") {
set resp.http.Connection = "close";
}
}
sub vcl_synth { call vsv8_epel7_varnish405; }
sub vcl_deliver { call vsv8_epel7_varnish405; }
Mini Shell