Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

ASA-202107-28 - log back

ASA-202107-28 edited at 16 Jul 2021 14:53:50

Workaround

	The issue can be mitigated by turning off support for HTTP/2, using

	sudo varnishadm param.set feature -http2

	or by preventing connection reuse with the following configuration:

	sub vcl_backend_fetch {
	set bereq.http.Connection = "close";
	}

ASA-202107-28 edited at 14 Jul 2021 20:11:42

Workaround

+	The issue can be mitigated by turning off support for HTTP/2, using
+
+	sudo varnishadm param.set feature -http2
+
+	or by preventing connection reuse with the following configuration:
+
+	sub vcl_backend_fetch {
+	set bereq.http.Connection = "close";
+	}

Impact

+	A remote attacker could inject arbitrary HTTP requests through an HTTP/2 POST request with a large Content-Length header.

ASA-202107-28 created at 14 Jul 2021 20:09:44