Package: varnish Version: 3.0.2-2+deb7u1 On oldstable varnish v3 is still used. Two security fix have been made on this old version (nothing to do for V4 used on stable) They were added in 3.0.7: - Stop recognizing a single CR (r) as a HTTP line separator. This opened up a possible cache poisioning attack in stacked installations where sslterminator/varnish/backend had different CR handling - Requests with multiple Content-Length headers will now fail
Patchs are here: * https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c * https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3 I'd like to get theses patchs on the oldstable varnish package. -- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
