openSUSE Security Update: Security update for varnish Announcement ID: openSUSE-SU-2025:0179-1 Rating: important References: #1216123 #1221942 #1239892 Cross-References: CVE-2013-4484 CVE-2023-44487 CVE-2024-30156 CVE-2025-30346 CVSS scores: CVE-2023-44487 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP6 An update that fixes four vulnerabilities is now available. Description: This update for varnish fixes the following issues: Update to release 7.7.1 VSV-16: Resolve request smuggling attack Update to release 7.7.0 The linux jail gained control of transparent huge pages settings. An issue has been fixed which could cause a crash when varnishd receives an invalid Content-Range header from a backend. Timestamping for HTTP/2 requests (when idle period begins) has been switched to be more in line with HTTP/1. VSV-15: The client connection is now always closed when a malformed request is received. [CVE-2025-30346, boo#1239892] Update to release 7.6.0 The Varnish Delivery Processor (VDP) filter API has been generalized to also accommodate future use for backend request bodies. VDPs with no vdp_bytes_f function are now supported if the vdp_init_f returns a value greater than zero to signify that the filter is not to be added to the chain. This is useful to support VDPs which only need to work on headers. The…Read More