Hi Marco, [CC'ing security team]
On Mon, Apr 01, 2024 at 04:25:05PM +0200, Marco d'Itri wrote: > Control: found -1 5.0.0-1 > Control: fixed -1 7.4.2 > > On Nov 17, Salvatore Bonaccorso <car...@debian.org> wrote: > > > CVE-2023-44487[0]: > > | The HTTP/2 protocol allows a denial of service (server resource > > | consumption) because request cancellation can reset many streams > > | quickly, as exploited in the wild in August through October 2023. > Fixing this issue would require backporting a significant amount of > new features in varnish and I do not believe that it would be practical. > > I am inclined to downgrade this bug because: > - this is just a DoS attack > - it only concerns people using hitch for TLS termination instead of > a full web server like nginx or haproxy > > nginx in stable is also vulnerable, BTW. While I do agree (and it was filled with this severity), the bug severity would not be RC, varnish currently seem to lack active maintainership. As such an RC bug keeps it out of testing until someone steps up for a commitment maintaining varnish. Unfortunately now varnish is back in testing due to this downgrade. What we can do is to fill a proper RC severity varnish bug which can be closed once someone steps up to maintain varnish as well for stable and oldstable release cycles. Regards, Salvatore
